emc navisphere security - dell · emc corporation corporate headquarters : hopkinton, ma 01748...

EMC CorporationCorporate Headquarters:

Hopkinton, MA 01748 -91031-508 -435 -1000www.EMC.com

EMC NavisphereSecurity

Version 6.X

ADMINISTRATOR’S GUIDEP/N 069001124

REV A06

www.emc.com

EMC Navisphere Security Version 6.X Administrator’s Guideii

Copyright © 2002, 2003 EMC Corporation. All rights reserved.

Published December, 2003

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

Trademark InformationEMC2, EMC, CLARiiON, Navisphere, and PowerPath are registered trademarks and Access Logix, EMC ControlCenter, MirrorView, SAN Copy, and SnapView are trademarks of EMC Corporation.All other trademarks used herein are the property of their respective owners.

EMC Navisphere Security Version 6.X Administrator’s Guide iii

Preface.............................................................................................................................. v

Chapter 1 About Navisphere SecurityTerminology...................................................................................... 1-2Introducing Navisphere Manager 6.X Security........................... 1-4

Authentication........................................................................... 1-4Authorization ............................................................................ 1-4Privacy........................................................................................ 1-4Audit........................................................................................... 1-4

Navisphere Manager 6.X Security Benefits.................................. 1-5Centralized User Account Management ............................... 1-5Single Login............................................................................... 1-5Strong Encryption..................................................................... 1-6Intrusion Protection.................................................................. 1-6

Navisphere Management Environments...................................... 1-7Storage Management Software............................................... 1-8Using Navisphere 6.X With Storage Systems That Do Not Have Storage Management Server Software...................... 1-10

Chapter 2 Planning for Security: Domains and User AccountsAbout Security Initialization States............................................... 2-2About Domains and User Accounts ............................................. 2-3

Initial Global Administrator Account.................................... 2-5Usernames and Passwords...................................................... 2-5Domain High Availability Features....................................... 2-5

Guidelines for Using Global and Local Accounts....................... 2-6

Contents

EMC Navisphere Security Version 6.X Administrator’s Guideiv

Contents

Security Planning Worksheets ....................................................... 2-8Domain Worksheets................................................................. 2-8Portal Worksheet .................................................................... 2-10Global Account Worksheet ................................................... 2-11Local Account Worksheet ..................................................... 2-11

Chapter 3 Setting Up and Maintaining Your Security SystemStarting a Manager Session ............................................................ 3-2Adding or Modifying a Domain.................................................... 3-4

Selecting or Changing a Master Node................................... 3-4Configuring the Domain ......................................................... 3-5

Removing a Storage System from a Domain ............................... 3-7Removing a Domain........................................................................ 3-8Adding, Modifying, or Deleting User Accounts......................... 3-8

Changing a Password ............................................................ 3-10Moving a Storage System to a Different Domain...................... 3-11

Appendix A Comparing Manager 6.X and Manager 5.X SecurityManager 5.X vs. Manager 6.X Security ....................................... A-2

Authentication ......................................................................... A-2Authorization........................................................................... A-3Privacy....................................................................................... A-4Audit.......................................................................................... A-5

Appendix B Network ConfigurationsConfiguring Networks for Additional Security ........................ B-2

Appendix C Customer SupportOverview of Detecting and Resolving Problems ...................... C-2Troubleshooting the Problem ....................................................... C-3Before Calling the Customer Support Center ............................ C-4Documenting the Problem ........................................................... C-5Reporting a New Problem ............................................................ C-6Sending Problem Documentation ............................................... C-7

Index................................................................................................................................ i-1

EMC Navisphere Security Version 6.X Administrator’s Guide v

Preface

As part of an effort to improve and enhance the performance and capabilities of its product line, EMC from time to time releases revisions of its hardware and software. Therefore, some functions described in this guide may not be supported by all revisions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes.

If a product does not function properly or does not function as described in this guide, please contact your EMC representative.

About This Manual This guide describes the tasks for setting up domains and using the security features of EMC Navisphere Manager. Each major section includes introductory information and a general procedure for completing a task. This manual is not intended for use during the actual setup, configuration, and management of storage systems so the steps in the procedures purposely do not include screen captures of the dialog boxes.

The introductory information and detailed steps for each procedure appear in the Navisphere Manager online help so you have the complete information available when you actually set up, configure, and manage storage systems, should you require help.

Audience This guide is part of the Navisphere Manager documentation set, and is intended for use by the system administrator responsible for EMC Navisphere security. Readers of this guide are expected to be familiar with EMC Navisphere Manager.

vi EMC Navisphere Security Version 6.X Administrator’s Guide

Preface

How This Manual IsOrganized

This manual contains three chapters, as follows:

RelatedDocumentation

EMC Navisphere Manager 6.X Administrator’s Guide (P/N 069001125)

EMC CLARiiON CX300, CX500 and CX700 Storage System Configuration Planning Guide (P/N 014003113)

EMC Storage Systems CX400-Series and CX600-Series Configuration Planning Guide (P/N 014003113)

EMC Storage Systems CX200-Series Configuration Planning Guide (P/N 014003115)

EMC FC4700 Storage System Configuration Planning Guide (P/N 014003016)

EMC Navisphere 6.X CLI Reference (P/N 014001038)

Conventions Used inThis Guide

EMC uses the following conventions for notes, cautions, warnings, and danger notices.

A note presents information that is important, but not hazard-related.

CAUTION!A caution contains information essential to avoid data loss or damage to the system or equipment. The caution may apply to hardware or software.

Chapter 1 Introduces EMC security terms and features.

Chapter 2 Describes security states, domains, and user accounts, and ends with worksheets you can use to plan your security structure.

Chapter 3 Lists the steps needed to create domains and user accounts and to move a storage system from one domain to another.

Appendix A Compares the security functions of Navisphere 5.X and Navisphere 6.X.

Appendix B Describes security policies that require special network configurations.

Appendix C Describes the EMC process for detecting and resolving software problems.

EMC Navisphere Security Version 6.X Administrator’s Guide vii

Preface

Typographical ConventionsThis manual uses the following format conventions:

Finding CurrentInformation

The most up-to-date information about the EMC SAN Copy software, is posted on the EMC Powerlink website. We recommend that you download the latest information before you start the SAN Copy software. If you purchased this product from an EMC reseller and you cannot access Powerlink, the latest product information should be available from your reseller.

To access EMC Powerlink, use the following link:

http://powerlink.emc.com

After you log in, select Support > Document Library and find the following:

◆ EMC Navisphere Manager 6.X Release Notes, P/N 085090645

◆ The latest version of this guide that is applicable to your software revision

This typeface

Indicates text (including punctuation) that you type verbatim, all commands, pathnames, filenames, and directory names. It indicates the name of a dialog box, field in a dialog box, menu, menu option, or button.

This typeface Represents variables for which you supply the values; for example, the name of a directory or file, your username or password, and explicit arguments to commands.

This typeface

Represents a system response (such as a message or prompt), a file or program listing.

x > y Represents a menu path. For example, Operations > Poll All Storage Systems tells you to select Poll All Storage Systems on the Operations menu.

[ ] Encloses optional entries.

| Separates alternative parameter values; for example:LUN-name | LUN-number means you can use either the LUN-name or the LUN-number.

http://powerlink.emc.com

viii EMC Navisphere Security Version 6.X Administrator’s Guide

Preface

◆ EMC Installation Roadmap for CX-Series and FC-Series Storage Systems, which provides a checklist of the tasks that you must complete to install your storage system in a storage area network (SAN) or direct attach configuration.

Where to Get HelpFor questions about technical support and service, contact your service provider.

If you have a valid EMC service contract, contact EMC Customer Service at:

Follow the voice menu prompts to open a service call, then select CLARiiON Product Support.

Sales and CustomerService Contacts

For the list of EMC sales locations, please access the EMC home page at:

http://www.EMC.com/contact/

For additional information on the EMC products and services available to customers and partners, refer to the EMC Powerlink Web site at:

http://powerlink.EMC.com

Your Comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send a message to [email protected] with your opinions of this guide.

United States: (800) 782-4362 (SVC-4EMC)

Canada: (800) 543-4782 (543-4SVC)

Worldwide: (508) 497-7901

http://www.EMC.com/contact/


mailto:[email protected]

About Navisphere Security 1-1

1Invisible Body Tag

The EMC Navisphere Manager 6.X security mechanism provides simple and flexible — yet robust and effective —methods for setting up secure domains and management accounts.

This chapter includes the following major sections:

◆ Terminology........................................................................................1-2◆ Introducing Navisphere Manager 6.X Security .............................1-4◆ Navisphere Manager 6.X Security Benefits....................................1-5◆ Navisphere Management Environments........................................1-7

About NavisphereSecurity

1-2 EMC Navisphere Security Version 6.X Administrator’s Guide

About Navisphere Security

Terminology

Table 1-1 Navisphere 6.X Terms That Relate to Security

Term Description

administrator (role) A person with privileges to access all administrative and management interfaces and data; to change a user's role; and to add or delete user accounts and storage systems from the domain. A global administrator can add, delete, or modify domain and global information. A local administrator can add, delete, or modify local user accounts.

client A host (computer or laptop) that has an Internet browser and connects to a storage application server via network. You use it to manage connected storage systems.

CX-Series, FC4700- Series storage systems

CX-Series and FC4700-Series storage systems only.

domain In the context of EMC Navisphere 6.X, a group of storage systems and/or portal servers that you can manage from a single management application session. You can divide the storage systems into multiple domains as long as each storage system or portal is in only one domain.

global account A type of user account used for storage-system management. A global account has access to all storage systems in the domain.

local account A type of user account used for storage-system management.A local account has access only to the storage system on which the account creator was logged in when he or she created it.

Manager Either the Navisphere Manager application user interface (UI) or, in a security role, a person with privileges to view all management server data and perform all storage-system operations (such as binding LUNs), but who cannot add, modify, or delete user or domain information.

Monitor (role) A person with privileges to view all storage-system data, but who cannot add, modify, or delete information in the domain.

node Usually a server (HBA connection) or storage system (SP connection). In the context of Navisphere 6.X, a node is an SP in a current storage system. The master node maintains the master copy of global domain information and distributes it to all storage systems in the domain. A portal (see next) can also be a node.

pre-FC4700-series storage system

A class of storage systems whose SPs do not have a network management connection: FC4500, FC5300, FC5500, and FC5700 storage systems.

portal A server or storage system through which you manage one or more storage systems using Navisphere 6.X. Generally the managed systems are legacy systems such as FC4500s and FC5300s.

provider Software that runs in the storage application server and provides management or monitor features.

Terminology 1-3


Term Description

security user role One of several different roles (privilege levels) assigned to storage-system management personnel. Each role can be local to one or more specific storage systems or global to all systems in the domain. For Navisphere security, the pre-defined roles are Administrator, Manager, and Monitor. For security to be effective, at least one global administrator account is required. Usually a system engineer creates this account after the storage system is installed and he or she initializes security.

security initialization states There are three security initialization states in Navisphere 6.X.• Uninitialized. This is how storage systems leave the factory.• Security initialized. This is an intermediate state. In this state, you can perform

configuration commands on the storage system. A global administrator account exists for this system but it is not part of a storage domain.

• Initialized. A storage system in this state is fully configured and part of a storage domain. Configuration access is completely restricted to authorized users.

These states have meaning only in relation to global accounts. Local accounts remain valid until you explicitly delete them.

states see security initialization states.

storage application server A storage system that has both the Navisphere Manager UI and Storage Management Server software. You can log in to it and manage other storage systems in the same domain.

storage domain See domain.

storage management server

A storage-system SP that has Storage Management Server software but not the Navisphere Manager UI installed.

Storage Management Server Software

Software that runs in a storage system or portal server and lets a person manage it over a network.

system See storage management server.

Table 1-1 Navisphere 6.X Terms That Relate to Security (continued)



Introducing Navisphere Manager 6.X SecurityEMC Navisphere Manager 6.X security consists of four basic functions — authentication, authorization, privacy, and audit. The following sections briefly describe how Navisphere 6.X implements these functions. For a more complete description, see Appendix A, Comparing Manager 6.X and Manager 5.X Security.

Authentication Navisphere Manager 6.X security uses password-based authentication that is implemented by the Storage Management Server software installed on each storage system in the domain. You will assign a username and password when you create either global or local user accounts. Global user accounts apply to all storage systems within a domain, while local user accounts apply to a specific storage system.

Authorization Manager 6.X security bases authorization on the role associated with the authenticated user. Manager 6.X supports three basic roles — administrator, manager and monitor. All users can monitor the status of a storage system. In addition, users with the manager role can configure a storage system, and users with the administrator role can maintain user accounts as well as configure a storage system.

Privacy Manager 6.X security encrypts all data that passes between the browser and a storage management server as well as data that passes between storage management servers. This encryption protects the transferred data whether it is on local LANs behind corporate firewalls, or over the Internet.

Audit Manager 6.X maintains an SP event log that contains a time-stamped record for each event. This record includes information such as event code and event description. Manager 6.X also adds time-stamped audit records to the SP event log each time a user logs in or enters a request. These records include information about the request and the requestor.

Navisphere Manager 6.X Security Benefits 1-5


Navisphere Manager 6.X Security BenefitsThe enhanced security features of Navisphere Manager 6.X provide the following benefits:

◆ Centralized user account management

◆ Single login

◆ Strong encryption

◆ Intrusion protection

Centralized User Account Management

Manager 6.X supports centralized user account management through the use of global user accounts. Centralized user account management lets you manage user accounts from a single location. When you create or change a global user account, or add a new storage system to the domain, Manager 6.X automatically distributes the global account information to all storage systems in the domain. Centralized management provides the following:

◆ Allows you to manage a storage system from any browser-equipped client without the need to pre-install any software or hardware.

◆ Gives geographically dispersed data centers more flexibility in scheduling staff to manage the sites at the required times.

Single LoginSingle login lets users access any storage system in a managed domain through a single authentication. They do not need to re-enter their usernames and passwords each time they access a different storage system. Manager 6.X supports single login for the same manager session by:

◆ Distributing global user account information to all storage management servers in the domain.

◆ Caching the last-entered username and password and using the inherent authentication capabilities of HTTP.

Once cached, Manager places the username and password in the authentication header of each HTTP request that is sent by the browser, even when the request is targeting a different storage



system. When the new storage system receives the HTTP request, Manager extracts the username and password from the authentication header, and compares them to the locally stored global account information. Since the locally stored global account information is the same for all storage management servers in the management domain, a match exists, and Manager authenticates the request. You now have access to the new storage system.

Strong EncryptionManager 6.X security uses strong encryption to protect data passed between the browser and the storage system. The strong encryption keeps sensitive information private on both sides of the corporate firewall by encrypting the data from its origin (the browser) to its destination (the storage system).

Manager 6.X security protects transactions that originate outside the corporate infrastructure as well as those that are local.

Intrusion ProtectionAnother aspect of Internet security is the vulnerability of the web server. A web server is vulnerable for three reasons.

◆ It is a comprehensive application that supports various services.

◆ It is widely distributed.

◆ It is usually distributed with unobstructed access.

To provide support for management from a browser, some web server functionality is built into the Storage Management Server software. This software limits server services to the very basics necessary for specifically supporting Manager 6.X functionality.

The Storage Management Server software web services are proprietary and distributed only with Navisphere products. As a result, the well-known vulnerabilities of other web severs cannot be exploited.

Navisphere Management Environments 1-7


Navisphere Management EnvironmentsYou can assign each storage system that runs Storage Management Server software to a storage domain — a group of storage systems on the Internet or intranet you define using Manager.

You can create one or more domains for any installation. Each storage management server can be defined in only one domain. Each domain must have at least one member node — ideally at least two for high availability — that has Manager installed.

Each storage system in the domain is accessible from any other in the domain. Log in to a computer that has an Internet browser and, in the browser window, enter the IP address of a storage-system SP that has Navisphere Manager installed. The security software then prompts you to log in. After logging in, depending on the privileges of your account, you can monitor, manage and define user accounts for any system in the domain. Storage systems outside the domain are not viewable from the domain.

The web browser can run on any supported workstation or laptop with a network controller and the required version of the Java Runtime Environment (JRE). See the Release Notes for the required version.

The following figure shows an intranet that connects nine storage systems. It shows two domains, a US Division domain with five storage systems (four systems on SANs) and a European Division domain with four storage systems. The 13 servers that use the storage may be connected to the same or a different network, but the intranet shown is the one used to manage the storage systems.



Figure 1-1 Storage Domains on the Internet

Storage Management SoftwareStorage-system software consists of two pieces: server software and application software. Both are installed in storage-system SPs. The server software provides the basis for domain and storage-system management. Application software - that is, Manager - is downloaded and run within a browser and passes commands to the server software.

The server software is called Storage Management Server software. A storage system running Storage Management Server software is called a storage management server. A storage system that also includes Manager is called a storage application server.

Server Server Server ServerEMC2276

StorageSystem

StorageSystem

StorageSystem

StorageSystem

StorageSystem

StorageSystem Storage

System StorageSystem

Switch Fabric Switch FabricSwitch Fabric Switch Fabric

Domain 1 - U.S. Division

Domain 2 - European Division

InternetBrowser

Server Server Server Server Server Server

Server

StorageSystem

Server Server

Internet



You can use any storage application server to set up and maintain user accounts for people who will manage and/or monitor storage systems in the domain.

You access Manager using an Internet browser running on a computer called a client on a network connected to the storage application server.

The following figure shows several servers connected to storage systems: one storage system that is a storage application server -- with Manager -- and two storage systems that are just storage management servers.

Figure 1-2 Navisphere Management Application and Storage Management Server Storage Systems

LAN

EMC2402

UNIXServer

Host Agent Host AgentHost Agent

WindowsServer

UNIXServer

Management Interface

CX-Series or FC4700-Series Storage Systems

SP A and SP B

Access Logix

SP Agent


Manager 6.X

Domain

Internet Browser

Fibre ChannelSwitch Fabrics

SP A and SP B


Access Logix

SP Agent

SP A and SP B


Access Logix

SP Agent



Using Navisphere 6.X With Storage Systems That Do Not Have Storage Management Server Software

Some storage systems do not run Storage Management Server software. These storage systems are referred to as legacy storage systems. Examples of legacy storage systems are FC4500s and FC5300s.

You can manage legacy storage systems using Navisphere 6.X via a portal. A portal can be a host or storage system with Storage Management Server software installed. From a security viewpoint, the portal and its subsidiary storage systems are treated as a single node in a domain. Manager 6.X authorization extends to all legacy storage systems being managed via a portal. For example, if a user is defined as having a manager role, then that user has manager role access privileges on all legacy systems being managed by that portal. Any server used as a portal must run Windows 2000 or Windows NT.

For more information on portals, see the EMC Navisphere Manager Version 6.X Administrator’s Guide, P/N 069001125, or the online help.

Figure 1-3 shows a three-node domain, with one node composed of an FC5300 and FC4500 storage system (managed through a portal) and other nodes that are CX600 and FC4700 systems, each with Storage Management Server software.



Figure 1-3 Sample Installation with a Three-Node Domain Including a Windows Portal and Two Storage Systems That Do Not Run Storage Management Server Software

What Next? Continue to the next chapter to learn about domains and user accounts.

To

LAN

EMC2401

UNIXServer

Host Agent Host AgentHost Agent

WindowsServer

UNIXServer

Management network connection

Windows Server Portal

* Manageable by any connected internet browser, including one run from the UNIX or Windows servers.

CX-Series*

SP A and SP B

Access Logix

SP Agent


Manager 6.X

Domain

FC4500**

SP A and SP B

Access Logix

Internet Browser

Manager 6.X


**These storage systems are managed via Host Agents through the Windows Server Portal. From the security standpoint, these systems are treated as a single node in a domain.

Fibre ChannelSwitch Fabrics

FC5300**

SP A and SP BSP A and SP B

Access Logix

FC4700-Series*

SP A and SP B


Access Logix

SP Agent

Planning for Security: Domains and User Accounts 2-1

2Invisible Body Tag

This chapter describes the concepts you need to plan and implement efficient and effective security for your storage-system installation.

Major sections are

◆ About Security Initialization States.................................................2-2◆ About Domains and User Accounts................................................2-3◆ Guidelines for Using Global and Local Accounts .........................2-6◆ Security Planning Worksheets..........................................................2-8

Planning for Security:Domains and User

Accounts


Planning for Security: Domains and User Accounts

About Security Initialization States A storage system can be in any of three security initialization states:

◆ uninitialized

◆ security initialized

◆ initialized

The following table explains these states.

Table 2-1 Security Initialization States

State Details When activeHow to get to next state

Uninitialized The storage system does not belong to any domain. No global users are defined.The system is very vulnerable in this state since all configuration requests are processed without any security checks.Systems should be in the uninitialized state during configuration or reconfiguration only.

A storage system is in this state when it leaves the factory.A system returns to this state when removed from a domain.

Create a global user account.

Security Initialized

In this state a global user exists and can log in to and configure the storage system. This state offers some protection as other users cannot directly log in to the system and perform unauthorized operations.

The system is ready to be added to an existing or new domain.

Since the system can be imported into any existing domain, it is somewhat vulnerable. The system should be added to a domain as soon as possible to be protected.

Systems are in this state right after security is initialized. They remain in this state until they are added to a domain.

Add the storage system to a domain.

Initialized In this state the system is a member of a domain and fully protected. Any user who can log in to any storage system in the domain can manage and/or monitor this system (depending on the person’s role: administrator, manager, or monitor). This is the normal state for configured systems.You can return a system to the Uninitialized state by removing it from its domain. This removes all global user accounts and makes the system fully accessible to anybody until it has been initialized again.

Systems are in this state after security is initialized and they are members of a domain.

About Domains and User Accounts 2-3


About Domains and User AccountsA domain is a group of one or more storage systems with Storage Management Server software whose SPs are connected to a network and which have been assigned to the domain by Manager.

Each domain has a master node (master storage system) that maintains the master copy of the domain data — the storage systems and global accounts that make up the domain.

Setting up a domain allows a group of storage systems to be monitored and managed using a single login. If a storage system is not part of a domain, an administrator can add it to a different domain. Even if you plan to use a storage system by itself (manage it separately), we suggest that you create a domain for that system.

A user (that is, someone who needs to view or manage storage- system operation) can have one of three roles:

◆ Administrator◆ Manager◆ Monitor

Any access privileges of a user account that apply to a portal storage system also extend to all legacy storage systems managed through the portal. For example, if you define a user with manager role privileges for the portal system, then that user has manager role privileges on all legacy systems being managed via the portal.

Table 2-2 User Account Roles and Privileges

User Role Definition

Administrator The user can access all administrative and management interfaces and data, can change a user’s role, can add or delete users, and — depending on the scope of the account — can add or delete information from a domain.

Manager The user can view all storage system information and perform storage-system operations (such as binding LUNs), but cannot add, modify, or delete user or domain information.

Monitor The user can view all storage-system information, but cannot add, modify, or delete information from a domain or perform configuration operations such as binding LUNs.



You can assign a user a role globally (the user has the role across all storage systems in the domain) or locally (the user has the role on a specific storage system only). Each global username must be unique in the domain; each local username must be unique within the local management server.

If a user has a local account with the same username and password on two storage system in a domain, when that person logs in he or she will see the two storage systems on which the accounts were created.

To allow communication, each local user must have an account on a storage system that has Manager installed in addition to any local accounts on other storage systems. The account on the Manager system must have the same username and password (but not necessarily the same role) as any other local accounts.

An important benefit of local accounts is that you can assign the same person different privilege levels on different systems. For example, a domain has System A with Manager and System B without Manager. You want Sam to have administrative access to System B only. You can give Sam a local account with monitor access on System A and a local account with administrative privileges on System B. Sam can then log in to System A and use its Manager to manage System B. He cannot change System A, since he has only Monitor access.

The following table defines the roles.

Table 2-3 Operations that Users with Different Roles Can Perform

Anyone Logged in as Can View Can Add, Modify, or Delete

Global administrator All domain and storage-system settings, and global and local accounts.Note that local accounts on a storage system can be viewed only when one is logged in to that storage system.

All domain and storage-system settings, and global and local accounts (but cannot delete the last global administrator account)

Local administrator Local management-server storage system settings and local user accounts.

Local storage-system settings and local user accounts

Global Manager All management-server storage-system settings in domain

All storage-system settings in domain

Local Manager Local management-server storage system information Local storage-system settings

Global Monitor All storage-system settings and accounts in domain. Nothing

Local Monitor Local storage-system settings and accounts in domain. Nothing

About Domains and User Accounts 2-5


Initial Global Administrator AccountAfter installing Manager on a storage system or server, someone (an EMC engineer or you) creates one or more global administrator accounts, complete with username and password. After being created, at least one global administrator account persists; that is, no one can delete the last remaining global administrator account.

Usernames and PasswordsUsernames can be 1 to 32 letters (case sensitive), numbers, and/or underscores, and must start with a letter.

Passwords can be 1 to 32 letters (case sensitive) and/or numbers.

Manager stores all global account information in a secure part of the master node.The software then replicates global data to all management-server storage systems in the domain. Therefore the global security accounts are available on all storage systems.

Important If the person who manages a storage-system installation cannot log in as a global administrator (perhaps because he or she forgot the password), then global management of the domain will be impossible. Any local administrators and managers retain their local management privileges. However, EMC support will need to recreate a global administrative account. You should make sure that people who will manage the system keep a good record of this password.

Domain High Availability FeaturesAll domain and global/account information is replicated to all management servers in the domain, so if a storage system goes off line, the information is retained and other systems in the domain remain accessible.

If the storage system that goes off line is the master node, you can still login using a global account, but you cannot create or modify any global data until you choose a new master or the storage system comes back on line. Global data includes the following:

◆ User accounts

◆ Domain configurations

◆ Event Monitor templates



Guidelines for Using Global and Local AccountsGlobal accounts streamline management because their information is copied automatically to all storage systems in the domain. However, you can achieve the same security level by creating a local account, with the same username and password, on all storage systems in the domain.

Creating local accounts has the advantage of letting you give access to a subset of the storage systems in the domain; for example, in a domain of four systems, you can give a specific person access to only two. One disadvantage of many local accounts is maintenance: if you want to change a user’s role, you must make the change on all pertinent local accounts. Similarly, if you add a storage system to a domain, you must explicitly add the local account. A global account would be replicated automatically to the new storage system.

The following figures show two arrangements: one with two domains, each with a global administrator; the other with one domain and two administrators, each administrator controlling four local accounts. For clarity, the figures omit the servers.

Guidelines for Using Global and Local Accounts 2-7


Figure 2-1 Two Domains with Two Global Administrator Accounts

Figure 2-2 SIngle Domain with Two Sets of Four Local Administrator Accounts

EMC2278

Domain 1 - US Division

Domain 2 - European Division

USGlobal admin PaulStorage System A

EuropeGlobal admin ReneStorage System M

EuropeGlobal admin ReneStorage System N

with Manager

EuropeGlobal admin ReneStorage System O

EuropeGlobal admin ReneStorage System P

USGlobal admin PaulStorage System B

with Manager

USGlobal admin PaulStorage System C

USGlobal admin PaulStorage System D

Internet

EMC2279

Domain

USLocal admin PaulStorage System A

EuropeLocal admin ReneStorage System M

EuropeLocal admin ReneStorage System N

with Manager

EuropeLocal admin ReneStorage System O

EuropeLocal admin ReneStorage System P

USLocal admin PaulStorage System B

with Manager

USLocal admin PaulStorage System C

USLocal admin PaulStorage System D

Internet



Security Planning WorksheetsThe worksheets shown in this section will help you plan your domains and user accounts.

Domain Worksheets

For each domain you plan, enter the domain name, all storage system names that will be part of the domain, and the node (SP A or SP B) IP address in Table 2-4. A sample completed worksheet for the domains is shown in Table 2-5.

You must always remove a storage system from the domain before changing the IP address.

Table 2-4 Domain Worksheet

Domain Name Storage System Name Node (SP A or SP B) IP address(you need to specify only one SP per storage system)


Security Planning Worksheets 2-9


Table 2-5 Sample Domain Worksheet

Domain NameStorage System Name or Server Portal Hostname

Node (SP A or SP B) IP address(you need to specify only one SP per storage system)

US_Division Storage_system_A 111.222.333.444 (SP A)

Storage_system_B 111.222.333.555 (SP A) w Manager - Master Node

Storage_system_C 111.222.333.666 (SP A)

Storage_system_D 111.222.333.777 (SP A)


Europe_Division Storage_system_M 222.222.333.655 (SP A)

Storage_system_N 222.222.333.670 (SP A) w Manager - Master Node

Storage_system_O 222.222.333.754 (SP A)

Storage_system_P 222.222.333.856 (SP A)



Portal WorksheetIn a domain, a server or storage system can serve as a portal to storage systems that do not run Storage Management Server software. A blank portal worksheet is shown in Table 2-6.

Table 2-6 Portal Worksheet

Server Portal l IP AddressHostname or IP Address of Server whose Storage Systems will be Managed via Portal

Security Planning Worksheets 2-11


Global Account WorksheetFor every global account you plan, enter in Table 2-7 the domain name, the person’s username, and the role that he or she will have in the domain. Additional global accounts are optional; you can use the initial global account for all administrative functions if you want.

Table 2-7 Global Account Worksheet

Local Account WorksheetFor every local account you plan, enter in Table 2-8 the domain name, the person’s username, and the role that he or she will have in the domain. Local accounts are optional; you do not need to create any.

Table 2-8 Local Account Worksheet

Global Accounts for Domain:_______________

Username:______________ ❏Administrator ❏Manager ❏Monitor




Local Accounts for Domain:_______________

Storage System:_________________





Storage System:_________________





Setting Up and Maintaining Your Security System 3-1

3Invisible Body Tag

This chapter describes tasks involved in setting up your Navisphere security system. Major sections are

◆ Starting a Manager Session...............................................................3-2◆ Adding or Modifying a Domain......................................................3-4◆ Removing a Storage System from a Domain .................................3-7◆ Removing a Domain..........................................................................3-8◆ Adding, Modifying, or Deleting User Accounts ...........................3-8◆ Moving a Storage System to a Different Domain........................ 3-11

Setting Up andMaintaining YourSecurity System


Setting Up and Maintaining Your Security System

Starting a Manager SessionThis section explains starting a Navisphere Manager session.

Before starting a session, make sure that all storage systems you want to manage with this session are powered up.

1. Log in to a computer that is running a supported browser and Java Runtime Environment (JRE).

2. Start the browser.

3. In the browser, enter the IP address of a storage management server SP or Windows portal that has Manager installed.

The software displays a dialog box that requests your username, password, and scope (local or global) under which you want to log in. If you know the username and password of a valid account, go to step 4.

If no global administrator account exists, the software displays the message Security not initialized and asks if you want to initialize it, that is, if you want to create a global administrator account. Continue with this step.

a. Answer Yes.

The software asks for a username.

b. Define a username (1 to 32 letters (case sensitive), numbers, and/or underscores, must start with a letter).

The software asks for a password.

c. For Password, enter 1 to 32 characters, including letters (case sensitive) and/or numbers.

Important – If the person who manages a storage-system installation cannot log in as a global administrator (perhaps because he or she forgot the password), then global management of the domain will be impossible. Any local administrators and managers retain their local management privileges. However, EMC support will need to recreate a global administrative account. So you should make sure that people who will manage the system keep a good record of the username and password.

d. Click OK.

e. From the File menu, select Log In.

Starting a Manager Session 3-3


4. Enter the username and password for the account and select the scope.

The Enterprise Storage Window opens and the software displays an icon for each storage system you are entitled to access. If you logged in to an account with a global scope, it displays icons for all storage systems in the domain.

What Next? Continue to the next section to learn about adding domains and user accounts.



Adding or Modifying a DomainTo add or modify a domain, you must be logged in to a global administrator account. All storage systems that you want to add to (or remove from) the domain must be running the Storage Management Server software.

If you completed the domain worksheet in Chapter 2, you can use that information when you configure your domain.

In order to change a storage system’s IP address, you must remove the storage system from the domain.

Selecting or Changing a Master Node Before configuring a domain, you should select a master node for it. The master node (the SP you designate) holds the master copy of all global information in the domain. This information will be copied to all member nodes in the domain. If there is any discrepancy between node information, the information on the master is considered the correct version.

If there is already a master node and you define a new one, the old master node will be automatically demoted.

1. Log in to a global account as explained in the previous section.

The Enterprise Storage Window opens and the software displays an icon for each storage system in the domain.

2. On the File menu, click Setup Domain and then click Select Master to open the Select Master dialog box.

3. In Master Node IP Address, either enter the IP address for the node you want to be the master node; or, from Available Nodes, select a node from the list defined in the domain directory.

If this is a first-time installation, Master Node IP Address displays the IP address of the node that the browser is pointing to, and there are no nodes listed in Available Nodes.

4. Click Apply or OK to make the node you selected the master node.

Adding or Modifying a Domain 3-5


Configuring the Domain

You can change the name of the domain, and add other storage systems to the domain, as follows:

1. On the File menu, click Set Up Domain and then click Configure Domain.

The Configure Domain dialog box opens and displays a default domain name.

2. To change the name of the domain, click Change next to Domain Name.

3. Replace the default domain name with the name you want.

A domain name can consist of letters and numbers only. While multiple domains can have the same name, we recommend that you give them unique names to distinguish them from one another.

4. To search subnets for storage systems you want to add to the domain, under Scan Subnets, in the Subnets To Add box, enter the IP address of the subnet that you want to search, and click >.

The IP address moves to the Subnets To Scan box.

To remove selected subnets from Subnets To Scan, click the subnet you want to delete and then click Clear.

5. Repeat step 4 until Subnets To Scan contains all subnets you want to scan, and then click Scan.

To stop the scan at any time, click Stop Scan.

The application starts searching the subnets for any management servers that are not already part of a domain. When it finds any unassigned management servers, it displays them in Available Systems.

6. From the Available Systems list, click the systems you want to include in the domain, and click >.

The selected systems move into Selected Systems.

7. If you know the IP address of a system you want to include in the domain, enter the IP address for the system in IP Address of System, and then click >.



Normally, the IP address will be that of an SP, but if you want to use a Windows host as a server portal to manage legacy storage systems, specify that server’s IP address. The server must have storage management server software installed.

This moves the system into Selected Systems.

8. When Selected Systems contains all the systems you want to include in the domain, click OK or Apply.

To add portals, see the EMC Navisphere Manager online help or the Navisphere Manager 6.X Administrator’s Guide chapter on managing legacy and NAS storage systems.

After you finish configuring, the application does the following

◆ updates the master node to include the newly added systems.

◆ from the master node, distributes the updated domain configuration to all other systems in its domain.

You have selected a master node and/or configured a domain. To change the master and/or reconfigure the domain, repeat the pertinent steps.

What Next? If you have any storage systems such as FC4500 or FC5300 that cannot run Storage Management Server software, assign these storage systems to a portal system.

Assigning Storage Systems to a Storage System Portal or Host Portal If any of the storage systems you added to the domain will act as a portal (that is, it will pass management commands to storage systems such as FC4500s that do not have Storage Management Server software), then you should assign those systems to be portals as explained in the Manager Administrator’s guide. The same applies to any host portal that will pass management commands to such storage systems.

You can use the worksheet on page 2-10 for the portal information.

Removing a Storage System from a Domain 3-7


Removing a Storage System from a DomainRemoving a storage system from a domain deletes its domain information and all global account information; however, any local accounts remain usable.

If the storage system is a portal (that is, it has been set up with Manager to manage storage systems that do not have Storage Management Server software), then you must remove each such system from the portal list using the Manager Portal Configuration dialog box. That dialog box will let you remove all such systems in one step. You can then remove the portal from the domain. For more information on portals, refer to the EMC Navisphere Manager 6.X Administrator’s Guide, P/N 069001125.

The storage system may be the only one in the domain. In this case the domain is automatically deleted after the storage system is removed. You will then need to re-initialize security; that is, point your web browser at the storage system, answer Yes to the Initialize Security prompt, and create a Global Administrator account for the new domain (refer to Starting a Manager Session on page 3-2).

If the storage system you want to remove is the master node in the domain, and you want to retain the domain, then you should change the master node to another system in the domain before removing the old master (refer to Selecting or Changing a Master Node on page 3-4).

To remove a storage system from a domain, follow these steps:

1. Log in to a storage application server in the desired domain, using a global administrator account.

2. On the File Menu, select Set Up Domain > Configure Domain.

The Configure Domain dialog box appears.

3. In the Configure Domain dialog box, select the IP addresses of an SP in the storage system you want to remove. (The addresses appear on a single line so you must select them together.)

4. Move the system from Selected Systems to Available, and click OK.

You have removed the storage system from the domain. By removing it, you also removed all its global security information, and it remains vulnerable to anyone who wants to add it to a domain or initialize security on it.



Removing a DomainTo remove a domain, remove the storage system that is the master node. Or you can remove all storage systems in the domain.

Removing the domain removes all global user accounts (but not the local accounts on each node). The software warns you about the consequences of deleting the master. If you confirm, the software removes the domain, placing each storage system in the Uninitialized state.

If the domain has any portals in it, you must remove systems managed via the portal before you can remove the domain. See the previous section for more detail.

Adding, Modifying, or Deleting User AccountsTo add, modify, or delete an account, you must be logged on as an administrator. For global accounts, you must be logged on as a global administrator. When you create or modify a global account, all storage systems in the domain should be on-line, so that changes will be applied to them all.

If you completed the global and local account worksheets in Chapter 2, you can use that information when you add user accounts.

To add a user account, follow these steps:

1. Log in to a storage application server in the desired domain, using an administrator account.

To create a local account for any system, you must be logged into that system. You cannot create a local account for a system other than the one you’re logged in to.

2. On the Tools Menu, click Security.

3. On the Security menu, click User Management.

The User Management dialog box appears.

Adding, Modifying, or Deleting User Accounts 3-9


4. In the User Management dialog box, follow the appropriate steps below.

a. To add a user, click the Add button. The Add User dialog box opens. In the Add User dialog box, enter a username. Skip to step 5.

Each username must be unique in the domain and can be 1 to 32 letters (case sensitive), numbers, and/or underscores, and it must start with a letter.

b. To modify a user (role, scope, or password), select a user and click Modify. Skip to step 5.

c. To delete a user, select the username and click the Delete button. The software prompts for confirmation; to confirm, click OK. You have deleted the user and are done with this procedure.

5. If you are adding or modifying a user account, specify a security role for the account — administrator, manager, or monitor (refer to About Domains and User Accounts on page 2-3).

If you specify global, the user account information will be copied to all storage systems in the domain and a person who knows the username and password can use the account on any storage system in the domain. The account will display as a user account on all storage systems in the domain.

If you specify local, the account pertains only to the storage system you are logged into. Each local user must have an account on a server that has Manager installed in addition to any local accounts for other storage systems.

6. For Password, enter 1 to 32 characters, including letters (case sensitive) and/or numbers.

Important – If the person who manages a storage-system installation cannot log in as a global administrator (perhaps because he or she forgot the password), then global management of the domain will be impossible. Any local administrators and managers retain their local management privileges. However, EMC support will need to recreate a global administrative account. So you should make sure that people who will manage the system keep a good record of this password.



7. Confirm the password by retyping it and pressing Enter.

8. Click OK.

The software creates the account and the user can now log in to this domain via an Internet browser using the username, password, and scope you specified.

9. Repeat steps 4 through 8 until you have created all the user accounts you want for the domain. For any other domains, you can create user accounts in the same way, starting with step 1.

Changing a PasswordAny user can change his or her password. A global administrator can change any user’s password via the User Management dialog box described in the previous section.

For a user to change his or her password, he or she follows these steps:

1. Log in to a storage application server in the desired domain, using an account whose password you want to change.

To change the password of a local account for any system, log in to the system that has the local account. To change the password for a global account, you can log in to any system in the domain.

2. On the Tools Menu, click Security.

3. On the Security menu, click Change Password.

4. Specify and confirm the new password.

The new password will take effect immediately.

Moving a Storage System to a Different Domain 3-11


Moving a Storage System to a Different DomainTo move a storage system from one domain to another, or to put it into a new domain all by itself, follow these steps. You must be logged into a Global Administrator account.

Ensure that at least one of the systems in each of the source and destination domains has Manager installed on it. If no system in the domain has Manager, you will not be able to manage the domain.

If the storage system you want to move is the master node in the domain, and you want to retain the domain, then you should change the master node to another system in the domain before moving the old master.

1. Remove the storage system from its current domain. To do this, use the Setup Domain menu Configure Domain option, move the system from Selected Systems to Available, and click OK.

Removing a system from a domain deletes its domain and global account information; however, any local accounts remain usable.

Now you can add the system to an existing domain or create a new domain for that system as follows.

2. To add the storage system to an existing domain, log in to any storage system with Manager in the target domain.

3. Use the Setup Domain menu Configure Domain option to select the system and add it to the domain by moving it from Available to Selected Systems. The newly added system will inherit all the global information in the domain.

4. To create a new domain for the storage system:

a. In a web browser, enter the IP address of a storage system SP. Then initialize security and create one or more global administrator accounts for the new domain.

b. Use the Select Master dialog to create a master node. When you select a master, the software creates a domain.

You now have a domain of one system. You can add storage systems to it as explained in steps 1 through 8 in the section Adding or Modifying a Domain.

Comparing Manager 6.X and Manager 5.X Security A-1

AInvisible Body Tag

This appendix compares the security functions of Navisphere Manager 6.X and Navisphere Manager 5.X.

Topics include

◆ Manager 5.X vs. Manager 6.X Security ..........................................A-2

Comparing Manager6.X and Manager 5.X

Security

A-2 EMC Navisphere Security Version 6.X Administrator’s Guide

Comparing Manager 6.X and Manager 5.X Security

Manager 5.X vs. Manager 6.X SecurityNavisphere Manager security is made up of four basic functions:

◆ Authentication - Identify who is making a request

◆ Authorization - Determine if the requestor has the right to exercise the request

◆ Privacy - Protect against snooping of data

◆ Audit - Keep a record of who did what and when

Manager 5.X and Manager 6.X provide these basic security functions differently. The rest of this appendix describes the differences.

Authentication Manager 5.X authentication relies on the native password-based authentication function of the Windows NT or Windows 2000 management station. If the requestor's username/password matches the username/password of a defined user, then Manager 5.X identifies the requestor as an authenticated user of any application on the management station, including the Manager 5.X application.The account administrator must configure each management station with the proper user account information.

Manager 6.X authentication is also password-based, but the Storage Management Server Software implements this on the storage system. Manager 6.X allows an administrator to create usernames and password for user accounts by entering them in dialog boxes.

Manager 6.X uses local and global user accounts, which define the scope of the user account. A global user account applies to all storage systems in the domain, while a local user account applies to a specific storage system. The account administrator enters global user account information once, and then Manager 6.X distributes it automatically to all other storage systems equipped with the Storage Management Server Software, and to every new storage system that you add to the domain. This automatically provides access to users with global accounts without any additional administrator actions.

Manager 6.X uses the same authentication mechanisms that HTTP uses. When starting a session, Manager asks for a username, password, and scope (local or global), and then places them in cache and the authentication header, and sends the login request to the storage system. The Storage Management Server Software authenticates the user if a match is found. For the duration of the

Manager 5.X vs. Manager 6.X Security A-3


session, all subsequent requests that the browser sends will contain the cached username/password/scope in the authentication header so that you never have to enter your credentials again.

Storage management servers also use authentication when communicating with each other. For example, when user account information changes, Manager 6.X replicates the information to each storage management server in the domain.

Authorization Both Manager 5.X and Manager 6.X base authorization on the role associated with the authenticated user. A role is a collection of access privileges to similar data and functions, which provides an account administrator with a simple tool for assigning access rights.

Manager 5.X supports two basic roles: monitor and privileged. All authenticated users can monitor the status of a storage system. A privileged user account can configure a storage system, for example, bind LUNs. With Navisphere 5.X, the administrator must add a privileged user account to the Agent configuration file for each attached host, as well as a privileged user account to create and maintain other privileged user accounts. For large configurations, this task can be labor intensive, and increases the risk of errors.

Manager 6.X supports three basic roles: administrator, monitor, and manager. All roles can monitor the status of a storage system. The manager role allows an authenticated user to configure a storage system, and the administrator role can maintain user accounts as well as configure a storage system. Only the account administrator can assign a role to a user account.

Manager 6.X authorization extends to all legacy storage systems managed through a storage management server set up as a portal. For example, if a user has manager role access privileges for the portal storage system, then that user has manager role access privileges for all legacy storage systems that the portal is managing.



Privacy Manager 6.X provides 128-bit encryption of all data it passes between the browser and the storage management server, and all data it passes between storage management servers. This is compared with data that passes between Manager 5.X and Host or SP Agents, which passes without encryption.

As with e-commerce, encryption protects the user's credentials (username/password) and hides the transferred data from prying eyes, whether on the local LANs behind the corporate firewalls, or when the storage systems are being remotely managed over the Internet.

Manager 6.X supports SSL over the industry-standard port 443 to ease integration with firewall rule sets. It also supports SSL over port 2163. When you install Manager, it selects the port. For SSL communications, all Manager installations in the same domain must use the same port.

Audit The audit function is provides a record of all activities, so that Manager 6.X can

◆ Check for suspicious activity

◆ Determine the scope of suspicious activity

Audit is especially important for financial institutions that are monitored by regulators.

Manager 5.X uses an SP Event Log. The SP Event Log contains a time-stamped record for each event. Each record contains the following information:

◆ Event code

◆ Description of event

◆ Name of the storage system

◆ Name of the corresponding SP

◆ Host name associated with the SP

Manager 5.X vs. Manager 6.X Security A-5


Manager 6.X adds audit records to the Event Log. Manager 6.X creates an audit record each time a user logs in or enters a request. Each audit record is time stamped, and identifies the following information for each request:

◆ Requestor

◆ Type of request

◆ Target of request

◆ Success or failure of request

Network Configurations B-1

BInvisible Body Tag

This appendix addresses security policies that require special network configurations for an additional layer of security.

Topics include

◆ Configuring Networks for Additional Security ........................... B-2

Network Configurations

B-2 EMC Navisphere Security Version 6.X Administrator’s Guide


Configuring Networks for Additional SecurityManager 6.X provides strong security for interactions between the browser and the storage system. But some situations require security policies that require special network configurations that add an additional layer of security.

The following sections identify and describe the following network configurations:

◆ Management LAN vs. data LAN

◆ Remote access with VPN

Management LAN vs. Data LANYou may want to ensure that the storage-system administrators cannot access the application servers. You can do this by setting up two separate LANs - one for management, the other for data - as shown in Figure B-1.

Figure B-1 Separate LANs

Data LAN

Management LAN

Host B Host A

FC4700 FC4700Browser

EMC2645

Fabric

Configuring Networks for Additional Security B-3


Legacy Storage SystemsYou cannot use a configuration with separate LANs to manage legacy storage systems, because the portal (storage system or server managing the legacy storage systems) must be able to proxy commands to the Host Agents that are managing the legacy storage systems. In this case, use a firewall to limit data communications to just RAID++ (port 6389) between the FC4700 and the host agents on the application servers, as shown in Figure B-2.

Figure B-2 Legacy Storage Systems via Firewall

Data LAN

Management LAN

RAID++

Firewall

Host B Host A


EMC2646

Fabric

B-4 EMC Navisphere Security Version 6.X Administrator’s Guide


Remote Access with VPNSome customers may have security policies that require two-factor authentication for access to corporate LANs from remote locations. Two-factor authentication is provided with VPN. Figure B-3 is an example configuration for supporting Manager 6.X over VPN.

Figure B-3 Remote Access With VPN

Note that VPN has the following limitations:

◆ It requires pre-installed software or hardware at the remote location

◆ VPN products suffer from poor interoperability

VPN requires that you install software or hardware at the remote PC. This limits your ability to securely manage storage systems from anywhere, at anytime. Also, the VPN elements you install on the remote PC must be from the same vendor that provides the VPN server elements at the data center. This is not a problem for administrators accessing their own storage systems, but could prove to be a roadblock in standardizing on an EMC dial-in support strategy.

Data LAN

Management LAN

Browser

VPN

RAID++

VPN

Firewall

Host B Host A


EMC2647

Fabric

Customer Support C-1

Cnvisible Body Tag

This appendix reviews the EMC process for detecting and resolving software problems, and provides essential questions that you should answer before contacting the EMC Customer Support Center.

This appendix covers the following topics:

◆ Overview of Detecting and Resolving Problems .........................C-2◆ Troubleshooting the Problem .......................................................... C-3◆ Before Calling the Customer Support Center ...............................C-4◆ Documenting the Problem............................................................... C-5◆ Reporting a New Problem ............................................................... C-6◆ Sending Problem Documentation................................................... C-7

Customer Support

C-2 EMC Navisphere Security Version 6.X Administrator’s Guide

Customer Support

Overview of Detecting and Resolving ProblemsEMC software products are supported directly by the EMC Customer Support Center in the United States.

EMC uses the following process to resolve customer problems with its software products (Figure C-1).

Figure C-1 Problem Detection and Resolution Process

ProblemDetection

Refer to thisCustomer Support

Appendix for Instructions

Collect ProblemInformation as

Directed

Contact the EMC CustomerSupport Center:

U.S.:Canada:Worldwide:

(800) SVC-4EMC(800) 543-4SVC(508) 497-7901

Confirm that theProblem is Software

Related

Call will be Directedto an EMC SoftwareSupport Engineer

Problem isTracked andManaged toResolution

Troubleshooting the Problem C-3

Customer Support

Troubleshooting the ProblemPlease perform the relevant diagnostic steps before you contact the EMC Customer Support Center:

1. Read the documentation carefully.

2. Reconstruct the events leading up to the problem and describe them in writing.

3. Run some test cases to reproduce the problem.

If you encounter a problem that requires technical programming or analysis, call the nearest EMC office or contact the EMC Customer Support Center at one of the following numbers:

United States: (800) 782-4362 (SVC-4EMC)

Canada: (800) 543-4782 (543-4SVC)

Worldwide: (508) 497-7901

Please do not request a specific support representative unless one has already been assigned to your particular system problem.

For additional information on EMC products and services available to customers and partners, refer to the EMC Powerlink website at:




Customer Support

Before Calling the Customer Support CenterHave the following information available before calling the Customer Support Center or your support representative (if one has been assigned to you):

❑ Your company name

❑ Your name

❑ Your phone number

❑ For an existing problem, the problem tracking system ID, if one was previously assigned to the problem by a support representative

❑ For an MVS problem, the JESLOG, SYSPRINT, all STDOUT DD members of the server job output and similar output for the client, and the relevant portion of the SYSLOG

Documenting the Problem C-5

Customer Support

Documenting the ProblemIf the EMC Customer Support Center requests information regarding the problem, please document it completely, making sure to include the following information:

❑ Your company name and address

❑ Your name

❑ Your telephone number

❑ The importance of the problem, so that it can be assigned a priority level

To expedite the processing of your support request, you can photocopy this list and include it with the package.


Customer Support

Reporting a New ProblemFor a new problem, please provide the following information:

❑ Release level of the software that you are running

❑ Software installation parameters

❑ Host type on which you are running

❑ Operating system you are running and its release number

❑ Functions of the software that you are running

❑ Whether you can reproduce the problem

❑ Previous occurrences of the problem

❑ Whether the software has ever worked correctly

❑ Time period that the software did work properly

❑ Conditions under which the software worked properly

❑ Changes to your system between the time the software worked properly and the problem began

❑ Exact sequence of events that led to the system error

❑ Message numbers and complete text of any messages that the system produced

❑ Log file dated near the time the error occurred

❑ Results from tests that you have run

❑ Other related system output

❑ Other information that may help solve the problem

Sending Problem Documentation C-7

Customer Support

Sending Problem DocumentationUse one of the following methods to send documentation of the problem to the EMC Customer Support Center:

◆ E-mail

◆ FTP

◆ U.S. mail to the following address:

EMC Customer Support Center45 South StreetHopkinton, MA 01748-9103

If the problem was assigned a number or a specific support representative, please include that information in the address as well.


Customer Support

EMC Navisphere Security Version 6.X Administrator’s Guide i-1

Aaccount

global, defined 1-2types 2-4user 3-8

adding a domain 3-4adding a user account 3-8adding storage system to domain 3-5administrator

account 2-4role, defined 1-2

audit A-5authentication A-2authorization A-3

CCustomer support C-3Customer Support Center C-7

Ddeleting a user account 3-8domain

about 2-4adding or modifying 3-4adding storage system 3-5defined 1-2introduced 1-4removing a storage system from 3-7

Eencryption A-4environments, Manager 1-4

Gglobal

accountdefined 1-2introduced 2-4

administrator account 2-4

Hhost portal

assigning 3-6removing 3-7

Iinitialization states 2-2

initialized 2-2security initialized 2-2unitialized 2-2

Llocal account

defined 1-2introduced 2-4

MManager

account, introduced 2-4environments 1-4user role, defined 1-2

master nodedefined 2-3selecting 3-4

Index

EMC Navisphere Security Version 6.X Administrator’s Guidei-2

Index

modifying a domain 3-4monitor account

introduced 2-4user role 1-2

NNavisphere Manager, see Managernetworks

configuring for additional security B-2management LAN versus data LAN B-2remote access with VPN B-4

nodedefined 1-2master 2-3

node, master, selecting 3-4

Ppassword, about 2-5portal

assigning 3-6removing 3-7

privacy A-4

Rremoving a storage system from domain 3-7role, authorization

administrator 1-2manager 1-2monitor 1-2

role, user 1-3

Ssecurity

audit, defined A-5authentication, defined 1-4, A-2authorization, defined 1-4, A-3comparing Manager 6.X to Manager 5.X A-2initialization states 1-3privacy, defined 1-4, A-4user role 1-3

storage system portalassigning 3-6removing 3-7

storage system, adding to domain 3-5storage system, removing from domain 3-7

TTechnical support C-3

Uuser account, adding or deleting 3-8user account, types 2-4user role 1-3username, about 2-5

emc navisphere security - dell · emc corporation corporate headquarters : hopkinton, ma 01748...

Documents