emc smarts network configuration manager security ...€¦ · emc® smarts® network configuration...

EMC® Smarts®

Network Configuration ManagerVersion 9.5.1

Security Configuration Guide302-004-766

REV 01

Copyright © 2009-2018 Dell Inc. or its subsidiaries All rights reserved.

Published May 2018

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.

Published in the USA.

EMC CorporationHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.EMC.com

2 Network Configuration Manager 9.5.1 Security Configuration Guide

CHAPTER 1

Security Configuration

This guide provides an overview of security configuration settings available in theproduct, secure deployment and usage settings, and the secure maintenance andphysical security controls needed to ensure secure operation of the product.

This chapter includes the following topics:

l Revision history....................................................................................................4l Overview..............................................................................................................4l Access control settings........................................................................................4l Communication security settings........................................................................ 11l Global device security policy............................................................................... 17l Secure deployment and usage settings...............................................................18l Application security management...................................................................... 20l Security enforcement rules................................................................................ 22l Available permissions......................................................................................... 25l Using groups as roles......................................................................................... 27l Security hardening............................................................................................. 28l Third-party software hardening......................................................................... 32l Web Services hardening.....................................................................................39l Communication hardening..................................................................................40l Troubleshooting and getting help........................................................................41

Security Configuration 3

Revision historyUse this table to review the revisions made to this document.

Table 1 Revision history

Date Revision Description

May 2018 01 GA Release

OverviewThis document describes the user authorization security policy for EMC SmartsNetwork Configuration Manager and introduces concepts and principles used in theimplementation of the authorization features.

TerminologyTo clarify the terminology used within this document, a Principal represents both aUser and a Group.

A Group is a container or a composite entity comprised of Principals as its members.For example, a group can be comprised of users and groups, with the exception ofrecursive group membership.

A Principal can be a member of multiple groups, at the same time.

Access control settingsAccess control settings enable the protection of resources against unauthorizedaccess. The default user account and passwords are provided in this topic.

Table 2 Default accounts

User account Password Description

sysadmin sysadmin Default system administratoraccount for NetworkConfiguration Manager.

smc-user sysadmin Network ConfigurationManager SystemManagement Console useraccount.

jmx-user sysadmin JMiniX JMX console useraccount.

msa-user sysadmin Account to access msa



Authentication configurationNetwork Configuration Manager supports various methods of external authentication.

l TACACS+

l RADIUS

l LDAP

l SAML

The EMC Smarts Network Configuration Manager Online User Guide, accessed from theNetwork Configuration Manager client, contains more information on authenticationconfiguration. To access the guide, click Help > Help Contents. Use the Searchfunction to find more information about Authentication.

User actions performed without authenticationThe user actions that can be performed without authentication are described in thistopic.

Table 3 User actions available without authentication

User action Description of component

View online documentation The EMC Smarts Network ConfigurationManager Online User Guide is hosted on theNetwork Configuration Manager ApplicationServer.

View API Javadoc and samples The Network Configuration Manager APIJavadoc and samples are hosted on theNetwork Configuration Manager ApplicationServer.

User authorizationUser authorization settings control rights or permissions that are granted to enable auser to access a resource managed by the product.

Only authenticated users are allowed access to Network Configuration Manager.These authenticated users must be granted the appropriate permissions (or privileges)for authorization to access the application's features and functions. Access to theapplication is by the user interface (UI) or a public application programming interface(API).

Note

The Remember me checkbox is available in the Web Reporting and SysAdmin Loginscreens. If this checkbox is selected, the application remembers the last successfullogin username. If the application is launched again, the username is automaticallyavailable. By default, the Remember me checkbox is selected. Clear the selection toovercome this behavior.


Authentication configuration 5

Database component accessThe Network Configuration Manager database (PostgreSQL) uses an access list tolimit access to the database. The access list is automatically generated based on theuser's selections during the installation process.

If the product is configured so that the application server and database reside on thesame server, the database access list only allows local connections over the loopbackaddress. If the application server is remote from the database, the installer adds anentry in the access list for the remote servers and modifies the PostgreSQLconfiguration so that it listens on the external network interface.

Editing PostgreSQL access listThe PostgreSQL access list is automatically configured by the Network ConfigurationManager installer. Use this procedure to manually edit the access list.

Procedure

1. Open the [Product_Directory]/db/controldb/data/pg_hba.conf.

Scroll to the bottom of the file and locate the md5 entries.

2. Add a new trusted IP address by inserting a new line. For example, host allall <IP address>/32 md5Replace <IP address> with the IP address you are giving access to.

3. Save and then Close the file.

4. Stop the Sysadmin service (Linux): service sysadmin stop5. Stop the ncm-as service (Linux or Windows):

l Linux: service ncm-as stopl Windows: sc stop ncm-as

6. Start the Sysadmin service (Linux): service sysadmin start7. Restart the controldb service (Linux or Windows):

l Linux: service controldb restartl Windows: sc stop NCM_Controldb and sc start NCM_Controldb

8. Start the ncm-as service (Linux or Windows):

l Linux: service ncm-as startl Windows: sc start ncm-as

After you finish

Additional information about pg_hba.conf can be found at: http://www.postgresql.org.

Editing PostgreSQL listen addressesThe PostgreSQL listen addresses are automatically configured by the NetworkConfiguration Manager installer. Use this procedure to manually edit the addresses.

Procedure

1. Edit [Product_Directory]/db/controldb/data/postgresql.conf2. Locate the line that begins with listen_addresses = (near line 56).



http://www.postgresql.org


Remove the leading pound sign, #, to uncomment the line. If the line iscommented out, it defaults to listen only on the local loopback address. Forexample,

listen_addresses = 'localhost, 192.168.0.1' # Listen on localhost and 192.168.0.1listen_addresses = '*' # Listen on all addresses

The list of listen addresses is comma delimited, and it must contain the'localhost' address at a minimum. The list must be surrounded by single quotes.For example, to listen on all addresses, you can use an asterisk, '*'

3. Save, and then Close the file.

4. Stop the Sysadmin service (Linux): service sysadmin stop5. Stop the ncm-as service (Linux or Windows):

l Linux: service ncm-as stopl Windows: sc stop ncm-as

6. Start the Sysadmin service (Linux): service sysadmin start7. Restart the controldb service (Linux or Windows):

l Linux: service controldb restartl Windows: sc stop NCM_Controldb and sc start NCM_Controldb

8. Start the ncm-as service (Linux or Windows):

l Linux: service ncm-as startl Windows: sc start ncm-as

After you finish

Additional information on the postgresql.conf file can be found at: http://www.postgresql.org.

Log management and retrievalLog files can only be accessed directly from the server. If remote access is required,the files may be exported through a file share.

Log settingsA log is a chronological record of system activities sufficient to enable thereconstruction and examination of the sequence of environments and activitiessurrounding or leading to an operation, procedure, or event in a security-relevanttransaction, from inception to final results.

Table 4 Log description

Log component Location

AutoDisc [Product_Directory]/logs/autodisc.log

CF List [Product_Directory]/logs/cflist.log


Log management and retrieval 7



Table 4 Log description (continued)


CF Write [Product_Directory]/logs/cfwrite.log

CommMgr [Product_Directory]/logs/commmgr.log

Controldaemon [Product_Directory]/logs/daemon.log

Cut Thru Master [Product_Directory]/logs/cutthrum.log

Cut Thru Server [Product_Directory]/logs/cutthrus.log

DASL Compile [Product_Directory]/logs/daslcompile.log

Device Driver Install Log [Product_Directory]/logs/device_driver_install.log

Device Services AutoDiscovery Log [Product_Directory]/logs/autodisc.log

Device Services CommMgr [Product_Directory]/logs/commmgr.log

Device Services Cut Thru (Application Server)Activity Log

[Product_Directory]/logs/cutthrum.log

Device Services Cut Thru (Device Server) [Product_Directory]/logs/cutthrus.log

Device Services Event Dispatch [Product_Directory]/logs/eventdispatch.log

Device Services SysSync (Application Server) [Product_Directory]/logs/syssyncm.log

Device Services SysSync Server (DeviceServer)

[Product_Directory]/logs/syssyncs.log

Device Services SysSync Transfer Log [Product_Directory]/logs/ssxfrcgi.log

Documentation Install Log [Product_Directory]/logs/documentation_install.log

Event Dispatch [Product_Directory]/logs/eventdispatch.log

Event Handler [Product_Directory]/logs/event.log

NCM Application Server Log [Product_Directory]/ncmcore/logs/server.log

NCM Application Server Compliance Audit [Product_Directory]/ncmcore/logs/compliance-audit.log

NCM Application Server Credential Rollout [Product_Directory]/ncmcore/logs/credential-rollout.log

NCM Application Server General Log [Product_Directory]/ncmcore/logs/server.log

NCM Application Server Powerup Events [Product_Directory]/ncmcore/logs/powerup-events.log

NCM Application Server SAML [Product_Directory]/ncmcore/logs/saml.log

NCM Application Server Voyence Audit [Product_Directory]/ncmcore/logs/voyence-audit.log

NCM Application Server Voyence Log [Product_Directory]/ncmcore/logs/powerup.log



Table 4 Log description (continued)


NCM Application Server Compliance AuditLog

[Product_Directory]/ncmcore/logs/compliance-audit.log

Network Configuration ManagerControldaemon

[Product_Directory]/logs/daemon.log

NCM Application Server Credential RolloutActivity Log

[Product_Directory]/ncmcore/logs/credential-rollout.log

Network Configuration Manager Events Log [Product_Directory]/ncmcore/logs/powerup-events.log

Network Configuration ManagerSAMLActivity Log

[Product_Directory]/ncmcore/logs/saml.log

Network Configuration Manager SecurityAudit Log

[Product_Directory]/ncmcore/logs/voyence-audit.log

Network Configuration Manager ServerDebug Log

[Product_Directory]/ncmcore/logs/powerup.log

Network Configuration Manager ServerInformation Log

[Product_Directory]/ncmcore/logs/server.log

Package Validate [Product_Directory]/logs/pkgvalidate.log

PostgreSQL [Product_Directory]/db/controldb/logs/server.postmaster

Report Advisor (upgrades only) [Tomcat Directory/logs/Voyence.log

Report Advisor (license log) [Tomcat Directory/logs/license.log

Reports Install Log (upgrades only) [Product_Directory]/logs/reports_install.log

Setup Manager [Product_Directory]/logs/setupmgr.log

SSH Daemon [Product_Directory]/logs/sshdaemon.log

SysSync Master [Product_Directory]/logs/syssyncm.log

SysSync Server [Product_Directory]/logs/syssyncs.log

SysSync Transfer (ssxfrcgi) [Product_Directory]/logs/ssxfrcgi.log

System Monitor (Application Server) [Product_Directory]/logs/sysmonm.log

System Monitor Master [Product_Directory]/logs/sysmonm.log

System Monitor Server [Product_Directory]/logs/sysmons.log

Tomcat [Tomcat Directory]/logs/catalina.out

Transformer service [Product_Directory]/Transformation/logs/transformer.log


Log settings 9

Enabling log file debuggingBy default, debug logging is disabled (turned Off). When enabled, debug logging canconsume a significantly large amount of disk space. Turn On debug logging only whenneeded.

Procedure

1. Edit [Product_Directory]/conf/logs.cfg2. Locate, and then uncomment the following line by removing the number sign

(#) character at the beginning of the line: #*:log(0-9):file(10x1000000)3. Save changes to the file.

4. Restart the Network Configuration Manager service using the following:

l Linux: /etc/init.d/voyence restartl Windows: [Product_Directory]\bin\ncmmaster restart

Disabling log file debugging for the ncm-as serviceBy default, log file debugging for the ncm-as service is enabled (turned On). Whendebug logging for the ncm-as service is enabled, the log file size grows quickly. Todisable log file debugging for the ncm-as service, follow this procedure.

Procedure

1. Edit [Product-Directory]/ncmcore/webapps/ncm-webapp/WEB-INF/classes/log4j.xml

2. Go to the section that begins on line 381, and change the priority value fromDEBUG to INFO. For example:

<category name="com.powerup"><priority value="INFO" /><appender-ref ref="POWERUP"/></category>

3. Save the changes.

4. Restart the ncm-as service:

l Linux: service ncm-as restartl Windows: sc stop ncm-as and sc start ncm-as

Enabling log file debugging for Report Advisor (Tomcat service)By default, debug logging is disabled (turned Off). Follow this procedure to enabledebug logging for Report Advisor (Tomcat service).

Procedure

1. Edit [Product_Directory]/web/conf/log4j.properties2. Replace all occurrences of WARN with DEBUG.

3. Save the changes to the file.

4. Restart the Tomcat service:

l Linux: /etc/init.d/tomcat restartl Windows: sc stop Tomcat8 and sc start Tomcat8



Communication security settingsCommunication security settings enable the establishment of secure communicationchannels between the product components, as well as between product componentsand external systems or components.

Table 5 Port usage

Service Protocol Destination Port

Application server(AS)/Direction

Deviceserver(DS)/Direction

Combination server(CS)/Direction

Databaseserver(DB)/Direction

Apache TCP 80 Client to AS N/A Client toCS

N/A

NCM AS TCP 8881 Client to AS DS to AS,DS to CS

Client toCS

N/A

NCM ASSSL

TCP 8880 Client to AS N/A Client toCS

N/A

ApacheSSL

TCP 443 Client toAS,DS to AS

AS to DS,CS to DS

Client toCS,DS to CS

N/A

SNMP UDP 161 N/A DS toDevice

CS toDevice

N/A

Telnet TCP 23 N/A DS toDevice

CS toDevice

N/A

SSH TCP 22 N/A DS toDevice

CS toDevice

N/A

SCP TCP 22 N/A DS toDevice

CS toDevice

N/A

TFTP UDP 69, >1023 N/A DS toDevice,Device toDS

CS toDevice,Device toCS

N/A

FTP TCP 21 N/A DS toDevice

CS toDevice

N/A

SNMPTraps

UDP 162 N/A Device toDS

Device toCS

N/A

Syslog UDP 514 N/A Device toDS

Device toCS

N/A

Cut-Through


N/A

Cut-Through

TCP 11966 AS to DS CS to DS N/A N/A


Communication security settings 11

Table 5 Port usage (continued)






TACACS+ TCP 49 AS toTACACS+Server

N/A CS toTACACS+Server

N/A

Radius TCP 1645, 1646,1812, 1813

AS toRadiusServer

N/A CS toRadiusServer

N/A

LDAP TCP 389 AS to LDAPServer

N/A CS to LDAPServer

N/A

Telnet Cut-ThroughProxy


N/A

SSH Cut-ThroughProxy


N/A

SMTP TCP 25 AS toSMTPServer

N/A CS toSMTPServer

N/A

DNS TCP 53 N/A DS to DNSServer

CS to DNSServer

N/A

TomcatSSL

TCP 8443 Client to AS N/A N/A N/A

PostgreSQL

TCP 5435 AS to DB N/A CS to DB AS to DB,CS to DB

NCM AS TCP 1099 Registryport

N/A Internalbeanregistration

N/A

NCMMSATomcat

TCP 9443 N/A N/A N/A N/A

NCMMSA TCP 9005 N/A N/A N/A N/A

Tomcat TCP 8005 N/A N/A N/A N/A

Voyenced TCP 9991 AS to DS AS to DS CS to DS N/A

Voyenced TCP 9992 DS to AS DS to AS DS to CS N/A

Active MQbroker

TCP 61616 Client to AS N/A Messagingbroker port

N/A

Commgrd TCP 9995 AS to DSDS to AS

AS to DSDS to AS

CS to DSDS to CS

N/A

Autodiscd TCP 9996 AS to DSDS to AS

AS to DSDS to AS

CS to DSDS to CS

N/A



Table 5 Port usage (continued)






SyssyncdMaster

TCP 9997 AS to DS AS to DSCS to DS

CS to DS N/A

SyssyncdServer

TCP 9998 DS to AS DS to AS DS to CS N/A

SmartsAdapter

TCP 11805 Client toAdapter

N/A Client toAdapter

N/A

SmartsAdapter



N/A

SmartsAdapter



N/A

SSLv3 POODLE vulnerability mitigationNCM 9.4.x includes the fix to disable SSLv3 connections. NCM components are notvulnerable to POODLE attack. For details on this vulnerability, refer to:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

As a fix, the SSL connections to NCM components (Application server, ReportAdvisor, MSA, Apache) are disabled and only TLS connections are allowed.

The SA Suite Security KnowledgeBase (KB) reference at https://support.emc.com/kb/194044 provides more information.

Security enhancementsThe following components are upgraded for Network Communication Manager 9.5.1:

l Java is upgraded to 1.8u162. The Java update includes fixes for multiple securityvulnerabilities. All NCM components are updated to Java 8 update 162, includingthe Integration Adapter for Smarts Manager.

l For Windows, OpenSSL is upgraded to Win32OpenSSL-1_0_2n (for Windowsonly).

l Apache httpd server is upgraded to 2.4.29 (for Windows only).

l Apache tomcat is upgraded to 8.5.27.

l Apache Groovy is upgraded to 2.4.14.

l Perl is upgraded to 5.26.1 (for Windows only).

l PostgreSQL is upgraded to 9.6.6.

Security Advisory "DSA-2018-094" provides more information about the fixedvulnerabilities for the above third party components.


SSLv3 POODLE vulnerability mitigation 13

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566

https://support.emc.com/kb/194044

https://support.emc.com/kb/194044

Network encryptionIn Network Configuration Manager a few clients are configured to communicate overHTTPS and others over HTTP. You may want to change the default protocolsdepending upon network performance or security requirements.

Here are the default protocols used by the clients when communicating with theApplication Server:

Table 6 Default client protocols

Clients Protocol

NCM thick client HTTP

J2EE API calls HTTP

NCM Smarts Adapter HTTPS

NCM EDAA (NCM MSA) HTTPS

Report Advisor HTTPS

Configuring NCM thick client to use HTTPSThe NCM thick client is configured to use HTTP by default. Change it to HTTPS tomake the NCM thick client secure.

The client protocol is controlled by the HTML landing page from which the client islaunched.

In addition to using HTTPS, you can block the non-SSL ports through the use of afirewall between the client and the server. The ports to block are TCP port 80 andTCP port 8881.

Note

Port 80 must not be blocked on the loop back.

Procedure

1. Open <VOYENCE_HOME>/ncmcore/webapps/voyence/powerup.jnlp2. Modify this line,

<property name="jnlp.cc.remoting.servlet.base" value="http://$$hostname:8881/ncm-webapp/remoting/"/>

Change it to

<property name="jnlp.cc.remoting.servlet.base" value="https://$$hostname:8880/ncm-webapp/remoting/"/>



Configuring J2EE API calls to use HTTPSThe cc.remoting.servlet.base URL in the J2EE samples folder is changed from HTTPS(secure) to HTTP by default to improve performance of the J2EE API calls. To changeback to HTTPS, follow these steps

Procedure

1. Open <VOYENCE_HOME>/ncmcore/webapps/ncm-webapp/samples/J2EE/conf/config.properties

2. Modify this portion of the line,

cc.remoting.servlet.base=http://<server-ip>:8881/ncm-webapp/remoting/

Change it to

cc.remoting.servlet.base=https://<server-ip>8880/ncm-webapp/remoting/

Changing NCM EDAA (MSA), Report Advisor, or Smarts Adapter clients to use HTTPNCM EDAA (MSA), Report Advisor, and NCM Smarts Adapter communicate with theApplication Server using HTTPS by default. Use these steps to change to HTTP.

Procedure

1. Open these files:

l $VOYENCE_HOME/ncmmsa/webapps/ncm-msa/WEB-INF/classes/config.properties

l $VOYENCE_HOME/NCMSmartsAdapter/lib/config.propertiesl $TOMCAT_HOME/webapps/web/WEB-INF/classes/

config.properties

2. Modify this line,

cc.remoting.servlet.base=https://<server-ip>:8880/ncm-webapp/remoting/

Change it to

cc.remoting.servlet.base=http://<server-ip>:8881/ncm-webapp/remoting/

Data security settingsData security settings enable definition of controls to prevent data permanently storedby the product to be disclosed in an unauthorized manner.


Data security settings 15

Encryption of data at restAll sensitive data within the Network Configuration Manager application is encryptedduring transit (server-to-server, client-to-server) or in the database.

Enabling encryption for configuration data in the Device Server cacheBy default, configuration data is not encrypted in the Device Server cache. Add theCACHE_ENCRYPT attribute to the NCM Infrastructure Database to encrypt theconfiguration data. Note that enabling encryption only takes effect if there is a changein the configuration data (if a new Device Configuration State is created).

To enable the encryption, follow this procedure.

Procedure

1. Go to the [Product directory]/bin directory.

2. For Linux only, source the voyence.conf file. Type: source /etc/voyence.conf

3. Go to the [Product Directory]/cgi-bin/ directory.

4. Run one of these commands depending on where the Device Server resides:

l Application server: ./cflist.cgi > temp.txtl Remote Device server: ./cflist.cgi mode=pop > temp.txt

5. Open the temp.txt file and add the CACHE_ENCRYPT=1 attribute to the NCMInfrastructure Database.

For example:

POP 1000 "linbgz222.lss.emc.com"NetList= RsrcList= DevList= EmsList= :ADDR="10.31.151.222" AGE_DAYS=730 CLEANUP_DAYS=90 AD_ENABLE=0 AD_ARPCACHE=0 AD_DFLTROUTE=0AD_AUTO_RESOURCE=0AD_DEFAULT_POLL=0SNMP_TIMEOUT=500 SNMP_RETRY=3CM_DEBUGSESSION=0 SORTCONFIG=1 CM_MAXMAINTASKS=20 CM_PULLTIMER=1200 CUTTHRU_PULLTIMER=10 MAX_COMM_ATTEMPTS="5" CM_SMGR_CACHING_ENABLED=1 CM_SMGR_SESSION_TIMEOUT=60 CM_SMGR_SESSIONS_PER_DEVICE=4 AD_BATCHSIZE=1000 AD_NUMHOP=10 AD_TIMEOUT=10 AD_LOOPCNT=2 CM_NATTEDIP_LOOKUP=1 CACHE_ENCRYPT=1 CM_SYSLOGCONFIG="local1.*;local4.*;local7.*" RECORDVER="1.0"

6. Run the command: ./cfwrite.cgi < temp.txt7. Restart the vcmaster service. Use the command appropriate for the operating

system where [Product_Directory] is the directory where NetworkConfiguration Manager is installed:

l Linux: service vcmaster start



l Windows Server: [Product_Directory]\bin\ncmstart.bat

Security alert system settingsSecurity monitoring is possible in Network Configuration Manager through the use ofan optional integration adapter. The Network Configuration Manager SNMPIntegration Adapter allows the user to configure SNMP traps for a wide range ofevents in Network Configuration Manager.

EMC Smarts Network Configuration Manager Installation Guide provides moreinformation on the SNMP module.

SSL ciphers in TomcatCiphers are qualified in Network Configuration Manager by modifying the server.xmlfiles.

l [Product-directory]/ncmcore/conf/server.xmll /usr/tomcat/apache-tomcat-8.5.27/conf/server.xml

Ciphers qualifiedThe following ciphers are qualified in Network Configuration Manager 9.5.1.0 for the[Product-directory]/ncmcore/conf/server.xml file.

l RSA:!EXP:!NULL:+HIGH:+MEDIUM:-LOW

The following ciphers are qualified in Network Configuration Manager 9.5.1.0 forthe /usr/tomcat/apache-tomcat-8.5.27/conf/server.xml file.

l TLS_RSA_WITH_AES_128_CBC_SHA

l TLS_DHE_RSA_WITH_AES_128_CBC_SHA

l TLS_DHE_DSS_WITH_AES_128_CBC_SHA

l SSL_RSA_WITH_RC4_128_SHA

Global device security policyThis policy is intended to provide exclusive access to operational devices for certainprivileged Principals (users and groups). If a Principal is assigned permissions at thedevice level against a concrete device, the Principal (referred to as the primaryPrincipal) automatically claims exclusive access to the device. This means that otherPrincipals are not authorized to access this device, under any circumstances.

To assign a different set of permissions than the primary Principal, the notion of anabstract Principal called Others is introduced. The Others Principal is used torepresent the rest of the Principals that are not the primary Principal, and can be usedby the administrator to assign permissions (typically less effective privileges) on thedevice.

After a Principal is assigned explicit permissions on concrete devices, the permissionenforcement does not fall back to the network or system.


Security alert system settings 17

Secure deployment and usage settingsThis diagram illustrates the secure settings that affect the Network ConfigurationManager deployment.

Figure 1 Distributed deployment

Secure deployment settingsThe default security settings in Network Configuration Manager and recommendationsfor a high security configuration are provided in this topic.

Table 7 Secure deployment settings

Default setting Securedeploymentsetting

Pros of securedeploymentsetting

Cons of securedeploymentsetting

Instructions onhow to configuresecuredeploymentsetting

Applicationserver listens onboth secure andinsecure ports.

For best possiblesecurity betweenclient and server,block access tothe insecureports throughthe use of afirewall.

Provides highlevel ofprotection forthecommunicationbetween clientand server byavoiding the

Impact onperformance.

Install a firewallbetween theapplication serverand the clients (oron the applicationserver usingiptables).



Table 7 Secure deployment settings (continued)

tampering,spoofing, man inthe middle typeof attacks.

Note

Firewalls installedon a NetworkConfigurationManager servermust comply withthe list ofstandard NetworkConfigurationManager portsand protocols. Communicationsecurity settingson page 11

Note

Port 80 must notbe blocked on theloop back.

Self-signed SSLcertificate isused for clientconnections.

Purchase orgenerate atrusted SSLcertificate forclientconnections.

Client to serverconnections aretrusted, nowarnings duringlogin.

Certificate mayrequireadditionalfinancial cost.

Refer to theNetworkConfigurationManagerInstallation Guidefor instructions oninstalling SSLcertificates.

Default passwordis used formultipleaccounts.

Change alldefaultpasswordsimmediately afterinstalling theproduct.

Prevent accessto intruders.

Change theNetworkConfigurationManager, SystemManagementConsole, and JMXConsolepasswords. Referto the NetworkConfigurationManagerInstallation Guidefor instructions.


Secure deployment settings 19

Security patch managementThe components that require patch management are listed in this topic.

Table 8 Security patch management

Third-partycomponent forwhich patch isneeded

Frequency ofpatch

EMCresponsibility(Y/N)

Customerresponsibility(Y/N)

Reference toinstructions forapplying patch

Red HatEnterprise Linux

Daily No Yes Patchinstructionssupplied byvendor

Windows Server Daily No Yes Patchinstructionssupplied byvendor

Tomcat Quarterly Yes Yes Patches for thiscomponent willbe supplied in arelease or aservice pack.

PostgreSQL Quarterly Yes No Patches for thiscomponent willbe supplied in arelease or aservice pack.

Application security managementNetwork Configuration Manager provides administrative features to manage users,groups, and their memberships.

It is important to note that devices within the application are discovered as a part ofNetworks, which act as the top level containers. This approach supports ManagedService Provider environments.

Networks, in turn, can have sub-containers such as Sites, Views, and Workspaces. Asa result, Network Configuration Manager defines four primary security levels, basedon the scope of user access within the application. These levels play an important rolein the management of permissions in relation to the Principals.

Security levelsThe security levels are listed in order of increasing precendence.

l System - Controls scope globally (across all networks)

l Network - Controls scope within concrete networks

l Workspace - Controls scope within concrete workspaces

l Device - Controls scope within concrete devices.



The enforcement scope broadens when you move up a security level: Device' [Workspace] ' Network ' System. Note that the workspace level is only applicable forworkspace or design device related operations.

Permission levelsThe system level includes permissions that apply to generic system operations that donot concern a network, workspace, or device. The system level does not include anyconcrete resources, as it is meant for operations that are not related to networks,workspaces, or devices, and also for convenience as a fallback level during accesscontrol checks.

The network level includes permissions that apply to operations pertaining to anetwork, its sub-containers, and the devices within it.

The workspace level includes permissions that apply to operations pertaining to theworkspace and design devices, including virtual devices.

The device level includes permissions that apply to operations pertaining to the device.Permissions explicitly assigned at this level trigger the Global Device Security Policy.

Secured resourcesInstances of network, workspace, and device are considered secured resources andare managed under the network, workspace, and device levels, respectively.

The specific secured resources must be explicitly and individually associated to thePrincipal before permission assignment can be made for the Principal. Not explicitlyassociating a resource to the Principal is equivalent to the Principal having nopermission on that resource. Permissions can be assigned in two ways against theresources for the Principal.

Default permissionsAfter associating the desired set of resources with the Principal, you may assigndefault permissions to the entire set. This means each resource inherits the samepermissions.

This is convenient because the administrator does not have to assign the samepermission set to all the individual resources that have been associated to thePrincipal. Note that default permissions are not supported for the devices. The GlobalDevice Security policy section details this information.

Override permissionsIf specific overrides are desired on certain resources as exceptions to the defaultpermission, assign default permissions against each specific resource.

Avoiding exposure to passwordsSome of the Perl files under the $VOYENCE_HOME/conf/setup folder show thepasswords in clear text.

To avoid exposure to the passwords, you must remove the following files from the$VOYENCE_HOME/conf/setup folder, after the installation:

l AppServer.pl

l Common.pl


Permission levels 21

Security enforcement rulesPermissions are enforced by initiating the access check, and by anchoring at one ofthe security levels: device, network, workspace, or system. The choice of the securitylevel depends on the operation performed.

For instance, system level is selected for system operations, such as usermanagement operations; and network level is chosen for network-centric operations,such as modifying a network, managing views, viewing device details, and so on.

Enforcement at the network, workspace, and the device levels also requires an accesscontext, which involves the target concrete resource that is being accessed directly orindirectly by the user operation.

This helps in examining the permissions associated with that resource for the userattempting the access. Every service method enabling the user operation is securedby an interceptor that implements the appropriate access checks for the methods.

The access controller implements business logic to determine if the supplied Principalhas the correct privileges required for the service method.

Checking the NCM systemComplete the following steps for the system level check.

Procedure

1. Determine if the Principal has System Administrator permissions at the systemlevel. If yes, consider that Principal authorized, and return.

This check is an optimization from executing the rest of the checks.

2. Check if the required privileges are a subset of the permissions assigned to thePrincipal at the system level. If yes, consider the supplied Principal asauthorized, and return. If no, the supplied Principal is not authorized.

Checking the NCM networkComplete the following steps for the network level check.

Procedure

1. Determine if the Principal has System Administrator permissions at the systemlevel. If yes, consider that Principal authorized.


2. Identify the target concrete network from the access context.

3. Check if the network is explicitly associated to the Principal. If no, skip to step 8of this procedure.

4. Obtain overridden permissions for the Principal on the network, if configured. Ifthere are no overridden permissions, skip to step 6 of this procedure.

5. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, consider the supplied Principal is not authorized.

6. Obtain default permissions for the Principal on the network identified in step 2of this procedure, if any.



7. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, go to the next step.

8. Perform the system level checks. Checking the NCM system on page 22

Checking the workspaceComplete the following steps for the workspace level check.

Procedure



2. Identify the target concrete workspace from the access context.

3. Check if the workspace is explicitly associated to the Principal. If no, skip tostep 6 of this procedure.

4. Obtain overridden permissions for the Principal on the target workspace ifconfigured; if no overridden permissions exist, skip to step 7 of this procedure.

5. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, consider the supplied Principal as not authorizedand return.

6. Identify the containing network from the workspace from the access context.

7. Check if the network is explicitly associated to the Principal. If no, skip to step14 of this procedure.

8. Obtain overridden permissions for the Principal on the network if configured; ifno overridden permissions exist, skip to step 12 of this procedure.

9. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, go on to next step.

10. Obtain default permissions for the Principal on the target workspace if any.

11. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, continue on to next step.

12. Obtain default permissions for the Principal on the network identified earlier.

13. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If no, go on to next step.

14. Perform the system level checks. Checking the NCM system on page 22

Checking the deviceComplete the following steps for the device level check.

Procedure




Checking the workspace 23

2. Identify the target concrete device from the access context.

3. If the device is a Virtual Design device, skip to step 10 of this procedure.

4. Check if the device is explicitly associated to the Principal. If not, skip to step 7of this procedure.

The Global Device Security policy is now active. Obtain device permissions forthe Principal.

5. Obtain device permissions for the Principal.

6. Check if the required permissions are a subset of the permissions assigned tothe Principal in question, on the device. If yes, consider the supplied Principal asauthorized and return. If not, continue on to the next step.

7. Check if the device is explicitly associated to any other Principal. If not, skip tostep 10 of this procedure.

8. Obtain permissions on this device for the Others Principal.

9. Check if the required permissions are a subset of the permissions assigned tothe Others Principal on the device. If yes, consider the supplied Principal asauthorized, and return. If not, consider the supplied Principal as not authorized,and return.

10. If the device is a design device (copy of operational or just virtual), obtain thecontaining workspace. It the device is an operational device, skip to step 14 ofthis procedure.

11. Check if the workspace is explicitly associated to the Principal. If not, skip tostep 15 of this procedure.

12. Obtain overridden permissions for the Principal on the target workspace, ifconfigured. If there are no overridden permissions, skip to step 14 of thisprocedure.

13. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If not, consider the supplied Principal as notauthorized, and return.

14. Identify the containing network from the workspace if the device is a designdevice, or the primary network of the device.

15. Check if the network is explicitly associated to the Principal. If not, skip to step18 of this procedure.

16. Obtain overridden permissions for the Principal on the network if configured. Ifno overridden permissions exist, skip to step 18 of this procedure.

17. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If not, consider the supplied Principal as notauthorized, and return.

18. Obtain default permissions for the Principal on the target workspace if designdevice. If not design device, skip to Step 20 of this procedure

19. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If not, continue on to the next step.

20. Obtain default permissions for the Principal on the network identified earlier.

21. Check if the required privileges are a subset of the permissions assigned to thePrincipal, against the target workspace. If yes, consider the supplied Principalas authorized and return. If not, continue on to the next step.



22. Check the system.Checking the NCM system on page 22

Effects of group membershipUsers and Groups, in addition to the directly assigned permissions, inherit permissionsby virtue of their membership to another Group. Transitive memberships enablepermission inheritance beyond the direct parent group. Permissions of a Principal andparent groups, are additive when obtaining effective permissions for the Principal.

Under all circumstances user permissions override group permissions when the user isa member (immediate or transitive). This is possible when both the user and the grouphave overridden permissions on a secured resource.

Available permissionsPermissions may be set for system, network, workspace, or device.

System-level permissions are provided in this table:

Table 9 System permissions

System scope Permissions available

General l System Admin

l Override Credentials

l Manage Users/Groups

l Manage User Access

l Manage Data Field

l Manage Templates

l Manage Queries

l Manage Compliance Standards

l View Event Manager

Network l Create

Device l Manage OS

l Manage OS Inventory

Job l Schedule

l Approve

Network-level permissions are provided in this table:

Table 10 Network permissions

Network scope Permissions available

General l Override Credentials

l Manage User Access

l Manage Templates


Effects of group membership 25

Table 10 Network permissions (continued)

l Manage Queries

l Manage Compliance

Network l Edit

l Delete

l View

Device l Create

l Edit

l Assign Credentials

l View Details

l View Sensitive Data

l Manage OS

l Run Non-Scheduled

l Run Cut-through

Job l Schedule

l Approve

View l Create

l Edit

l Delete

Workspace l Create

l Edit

l Delete

l View

Device-level permissions are provided in this table:

Table 11 Device permissions

Device scope Permissions available

Device l Edit


l View Details

l View Sensitive Data

l Manage OS

l Run Non-Scheduled

l Run Cut-through



Table 11 Device permissions (continued)

Job l Schedule

l Approve

Workspace-level permissions are provided in this table:

Table 12 Workspace permissions

Workspace scope Permissions available

Workspace l Edit

l Delete

l View

Device l Create

l Edit


l View Details

l Manage OS

l Run Non-Scheduled

l Run Cut-through

Job l Schedule

l Approve

Using groups as rolesWhile Network Configuration Manager supports detailed security control on useraccess, it also has the ability to almost emulate role-based access through the use ofGroups.

A user role can easily be mapped to a Group, which can be assigned the appropriatepermissions to the existing concrete resources. The choice of concrete resourcesassists to restrict access to only those resources that are useful in Managed ServiceProvider environments.

Assigning roles to users and groups can be achieved by making them members of thegroup representing the role.

Note

After new concrete resources come into existence, they must be explicitly associatedto these role groups before they show the desired authorization behavior.


Using groups as roles 27

Security hardeningThis section provides instructions for hardening Network Configuration Manager afterinstallation.

Ensure all security patches recommended by the operating system vendor(s) areapplied. The instructions in this guide pertain only to the Network ConfigurationManager product and software installed by the product.

Pre-hardening requirementsBefore continuing with any of the hardening instructions, ensure NetworkConfiguration Manager has been installed with the default versions of third-partysoftware.

Stop the Network Configuration Manager services before completing the hardeningtasks. The EMC Smarts Network Configuration Manager Installation Guide provides moreinformation.

Stopping the Network Configuration Manager servicesIssue these commands to stop the Network Configuration Manager services.

Procedure

1. Use the command appropriate for the operating system where[Product_Directory] is the directory where Network ConfigurationManager is installed:

l Linux: service vcmaster stopl Windows Server: [Product_Directory]\bin\ncmstop.bat

Post-hardening requirementsAfter completing the hardening procedures, start the Network Configuration Managerservices.

Starting the Network Configuration Manager servicesIssue these commands to start the Network Configuration Manager services.

Procedure

1. Use the command appropriate for the operating system where[Product_Directory] is the directory where Network ConfigurationManager is installed:

l Linux: service vcmaster startl Windows Server: [Product_Directory]\bin\ncmstart.bat

Restricting the pgdba user from host level login for LinuxTo restrict the pgdba user from host level login privileges for Linux, complete thefollowing steps in the maintenance window:

Procedure

1. Log in to the NCM Report Advisor and NCM Application server hosts, as theroot user.



2. Run the following command on the NCM Report Advisor and Application Serverhosts:

source /etc/voyence.conf

3. Stop the Apache Tomcat service on the Report Advisor host, by running thefollowing command:

service tomcat stop

4. Stop all NCM services on the Application Server host, by running the followingcommand:

service vcmaster stop

5. If the NCM Database server is remote, run the following commands on theserver, as the root user:


service controldb stop

6. Run the following commands on the NCM Database server:

a. Run the following command in the Linux shell on the host where thecontroldb resides to back up appropriate files:cp -p /etc/init.d/controldb /tmp/_[etc-init.d-]controldb.bak

b. Update the pgdba user shell permissions, and then update the NCMcontroldb initialization script, to allow the correct controldb operation undera pdgba user with restricted shell privileges:sed -i 's/su - pgdba -c/su - pgdba -s \/bin\/bash -c/g' /etc/init.d/controldbcp -p /etc/passwd /tmp/passwd.bakusermod -s /sbin/nologin pgdba

c. Restart the system:reboot

7. If the NCM Database server is remote, start all the NCM services on theApplication server host, by running the following command:

service vcmaster start

8. Start the Apache Tomcat service on the Report Advisor host, by running thefollowing command:

service tomcat start

Note

After log in to the NCM GUI, if you do not see any device configuration data,then unlock the lockbox.

Restoring the pgdba user shell permissions back to defaultTo restore the pgdba user shell permissions back to default, complete the followingsteps:

Procedure

1. Log in to the NCM Report Advisor and NCM Application server hosts, as theroot user.


Restoring the pgdba user shell permissions back to default 29

2. Run the following command on the NCM Report Advisor and Application Serverhosts:


3. Stop the Apache Tomcat service on the Report Advisor host, by running thefollowing command:

service tomcat stop

4. Stop all the NCM services on the Application Server host, by running thefollowing command:

service vcmaster stop

5. If the NCM Database server is remote, run the following commands on theserver, as the root user:


service controldb stop

6. Run the following commands on the NCM Database server:

a. Run the following commands in the Linux shell on the host where thecontroldb resides, to restore the NCM controldb initialization script andpgdba user shell permissions:cat /tmp/_[etc-init.d-]controldb.bak > /etc/init.d/controldbusermod -s /sbin/nologin pgdba

b. Restart the system:reboot

7. If the NCM Database server is remote, start all NCM services on the ApplicationServer host, by running the following command:

service vcmaster start

8. Start the Apache Tomcat service on the Report Advisor host, by running thefollowing command:

service tomcat start

Securing port 1099In NCM 9.5.1 release, the JMX port 1099 has been made accessible from localhostonly and any access from remote host has been disabled. To enable the access to thisport from a remote host, the following steps need to be performed:

Procedure

1. Remove the following parameters from the /etc/init.d/ncm-as file:

l -Dcom.sun.management.jmxremote.port=1099l -Dcom.sun.management.jmxremote.host=127.0.0.1

2. Restart the ncm-as service.



Disabling HTTP ports in Tomcat servicesTo disable HTTP ports in Tomcat services, complete the following steps:

Procedure

1. Start the ncm-as service.

2. Open the /opt/ionix-ncm/ncmcore/conf/server.xml file.

3. Comment out the following section to remove the HTTP port reference:

<Connector port="8881" protocol="HTTP/1.1"^M connectionTimeout="20000"^M redirectPort="8880" /> ^M

4. Save the file.

5. Restart the ncm-as service.

Also, follow the above procedure (step 1-5) for Report Advisor and NCM MSA.

a. Edit the /usr/tomcat/apache-tomcat-8.0.23/conf/server.xmlfile to remove the HTTP port reference for 8080 -> 8443.

b. Edit the /opt/ionix-ncm/ncmmsa/conf/server.xml file to removethe HTTP port reference for 9180 -> 9443.

Note

Report Advisor and MSA service runs fine after disabling the HTTP port, and noother changes are required.

Enabling NCM client and API to use HTTPS portTo enable the NCM client and API to use HTTPS port, complete the following steps:

Procedure

1. Edit the following files:

l [root@<ncm-ip>:smarts-ncm]# find . -nameconfig.properties

l ./ncmcore/webapps/ws/WEB-INF/classes/config.propertiesl ./ncmcore/webapps/ncm-webapp/WEB-INF/classes/

config.propertiel ./ncmcore/webapps/ncm-webapp/samples/J2EE/conf/

config.properties

2. In the respective files, change the following to use HTTPS port.

cc.remoting.servlet.base=https://<ncm-ip>:8880/ncm-webapp/remoting/

3. Save the files.


Disabling HTTP ports in Tomcat services 31

Enabling NCM UI to use HTTPS portTo enable the NCM UI to use HTTPS port, complete the following steps:

Procedure

1. Edit the following files:

l -find . -name powerup.jnlpl ./ui/html/powerup.jnlpl ./webstart/ui/html/powerup.jnlpl ./ncmcore/webapps/voyence/powerup.jnlp

2. In the respective files, change the following to use HTTPS port.

<property name="jnlp.cc.remoting.servlet.base" value="https://$$hostname:8880/ncm-webapp/remoting/"/>

3. Save the files.

Third-party software hardeningThis section provides instructions for hardening third-party software used withNetwork Configuration Manager.

Java upgradesNetwork Configuration Manager is built to be specifically compatible with Java1.8.0_162 (JDK) for the Servers, and Java 1.8.0_162, or later, for clients.

Ensure you are using a release that is part of the 1.8.0 version. Java 1.8.0_162 (JDK) isprovided by default with Network Configuration Manager.

The following steps must be performed on each Application Server, Device Server,and Combination Server.

Upgrading Java on Windows Server

The following steps use jdk-8u-172 as an example and validated on Windows server2016. Replace the version in the examples with a newer version if applicable.

Procedure

1. Install the new version of Java.

2. Update the registry paths to the new version.

For example, for Windows Server 2016:

l HKEY_LOCAL_MACHINE\Software\Wow6432Node\Apache SoftwareFoundation\Procrun 2.0\Tomcat8\Parameters\Java\Jvm

l HKEY_LOCAL_MACHINE\Software\Wow6432Node\Apache SoftwareFoundation\Procrun 2.0\ncm-as\Parameters\Java\Jvm

l HKEY_LOCAL_MACHINE\Software\Wow6432Node\Apache SoftwareFoundation\Procrun 2.0\ncm-msa\Parameters\Java\Jvm



l HKEY_LOCAL_MACHINE\Software\Wow6432Node\Voyence\Control\Configuration\JAVA_HOME

l HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\JAVA_HOME

l HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCM_Controldaemon\Parameters\JVM Library

l HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCM_Transformer\Parameters\JVM Library

l HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NCM_Transformer\Parameters\JVM Option Number 0

3. Point ncm-as, ncm-msa, and Apache Tomcat services to the new java versionfor Java Virtual Machine under the java tab by using the following steps:

a. Open a command prompt and navigate to the $VOYENCE_HOME\ncmcore\bin directory, and then execute tomcat8w.exe //ES/ncm-as to changethe java path.

b. Open a command prompt and navigate to the $VOYENCE_HOME\ncmmsa\bin directory and then execute tomcat8w.exe //ES/ncm-msa to changethe java path.

c. Open a command prompt and navigate to the $TOMCAT_HOME\bindirectory, and then execute tomcat8w.exe //ES to change the java path.

4. Modify the $VOYENCE_HOME\tools\sshdaemon\conf\sshd-service.conf file to point to the new java version.

For example, wrapper.java.command=C:\Program Files\Java\jdk1.8.0_172\bin\java.

5. Modify the $VOYENCE_HOME\conf\setup\reportsadvisor.propertiesfile to point to the new java version.

For example, JAVA_INSTALL_DIR=C:\Program Files\Java\jdk1.8.0_172.JAVA_HOME=C:\Program Files\Java\jdk1.8.0_172.

6. Download the following jce jars from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html and place it in$JAVA_HOME\jre\lib\security:

l local_policy.jar

l US_export_policy.jar

7. Restart the Network Configuration Manager services when complete.

Upgrading Java on Linux

The following steps use jdk-8u-172 as an example. Replace the version in the exampleswith a newer version if applicable.

Procedure

1. Install the new version of Java.

2. Rename or delete the existing Java folder from the $VOYENCE_HOME directory.

3. Extract jdk-8u-172-linux-x64.tar.gz into the $VOYENCE_HOME/Java/directory.


Java upgrades 33

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html


4. Change the ownership of the new Java directory and its contents toroot:voyence.

For example, chown -R root:voyence java.

5. Change the permissions of the new Java directory and its contents to 770.

For details, refer to the old java directory ownership and permissions.

6. Download the following jce jars from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html and place it in$JAVA_HOME/jre/lib/security:

l local_policy.jar

l US_export_policy.jar

7. Restart the Network Configuration Manager services when complete.

OpenSSL upgradesNetwork Configuration Manager is built to be compatible with specific versions ofOpenSSL.

If an older OpenSSL version is installed, please uninstall it before installing NetworkConfiguration Manager. Older versions of OpenSSL may have security vulnerabilities.

You must upgrade to a version that is compatible. For example,

l Windows: OpenSSL 1_0_2N or later

l Linux: Varies depending upon the version of operating system

n Upgrading OpenSSL on Linux (RHEL 7 or CentOS 7) on page 35

n Upgrading OpenSSL on Linux (RHEL 6.7 or CentOS 6.7 or later) on page 35

Use the latest minor versions of the specific versions listed, as recommended byRedHat or CentOS or OpenSSL.org.

Upgrade OpenSSL on each Application Server, Device Server, and CombinationServer.

Upgrading OpenSSL on Windows Server

OpenSSL for Windows requires the Microsoft Visual C++ 2008 runtime libraries to beinstalled. If those libraries are not already installed on the server, download and installthe Microsoft Visual C++ 2008 Redistributable Package (x86) from the Microsoftwebsite.

After performing a fresh install of NCM 9.5.1 or upgrading to NCM 9.5.1, upgrade theOpenSSL package to OpenSSL 1_0_2N, or the latest version recommended byOpenSSL Org.

The following steps are validated on Windows server 2012.

Procedure

1. Download the OpenSSL Win32 full installer, OpenSSL 1_0_2N, or the latestsecure version recommended by OpenSSL Org.

2. Stop vcmaster services.

3. Run the OpenSSL installer and upgrade the OpenSSL version.

When selecting an installation directory, choose the same directory whereOpenSSL is installed, for example, " C:\OpenSSL-Win32"





4. Copy the OpenSSL DLLs into the Windows system directory when prompted.

5. Restart vcmaster services.

Upgrading OpenSSL on Linux (RHEL 7 or CentOS 7)You must run a version of OpenSSL that is compatible with Network ConfigurationManager. You must upgrade to a secure version or to the latest available version.

The NCM installer performs a prerequisite software check for OpenSSL 1.0.x. If alower version of OpenSSL is present, the NCM installer stops. You must upgradeOpenSSL manually to the recommended version before the installation can proceed.

RHEL 7 OS image may come with an unsecure OpenSSL version. Follow thisprocedure when upgrading to the secure OpenSSL version.

Procedure


2. Upgrade OpenSSL manually to the RedHat recommended version(openssl-1.0.1e-60.el7_3.1.x86_64 or later) using the yum package-management utility.

3. After all the changes, restart vcmaster services.

Upgrading OpenSSL on Linux (RHEL 6.7 or CentOS 6.7 or later)You must run a version of OpenSSL that is compatible with Network ConfigurationManager. You must upgrade to a secure version or to the latest available version.

The NCM installer performs a prerequisite software check for OpenSSL 1.0.x. If alower version of OpenSSL is present, the NCM installer stops. You must upgradeOpenSSL manually to the recommended version before the installation can proceed.

RHEL 6.7 (or later) OS image may come with an unsecure OpenSSL version. Followthis procedure when upgrading to the secure OpenSSL version.

Procedure


2. Upgrade OpenSSL manually to the RedHat recommended version(openssl-1.0.1e-48.el6_8.1.x86_64 or later) using the yum package-management utility.

3. After all the changes, restart vcmaster services.

Disabling zlib compression on Linux platformOpenSSL enables zlib compression by default for versions starting with 0.9 for bothclients and servers. This leads to security vulnerability. You have to disable the zlibcompression to avoid this vulnerability.

Procedure

1. Edit the http file. For example, edit vi /etc/sysconfig/httpd2. Add the line, OPENSSL_NO_DEFAULT_ZLIB=13. Restart the service. For example, service httpd restart


OpenSSL upgrades 35

Apache Tomcat Server upgradesThe Apache Tomcat Server can be upgraded to the latest version, for example 8.5.27.

Note

The following steps must be performed on each Application Server, Device Server,and Combination Server.

Upgrading the Apache Tomcat Server on Windows ServerYou must run a version of Apache Tomcat Server that is compatible with the olderversion of Apache Tomcat Server used by Network Configuration Manager.

The following steps use Tomcat 8.5.31 as an example and validated on Windows server2016. Replace the version in the examples with a newer version if applicable.

Procedure

1. Stop the Apache Tomcat service.

2. Back up the webapps and conf folders from the [Tomcat Home] directory,where [Tomcat Home] is the directory where Tomcat is installed (forexample, C:\Tomcat8).

Also, back up the web folder from the $VOYENCE_HOME directory.

3. Download the Core Windows Service Installer binary distribution of ApacheTomcat Server 8.5.31 from http://tomcat.apache.org/.

4. Stop the Apache Tomcat service, if it is running.

5. Delete the Tomcat8 service by using the following steps:

a. Open a command prompt window.

b. Type sc delete Tomcat86. Uninstall the existing Apache Tomcat.

7. Run the Apache Tomcat Server installer.

a. When selecting the java virtual machine path, point to latest jdk path insteadof jre, for example, C:\Program Files\Java\jdk1.8.0_172.

b. When selecting the installation directory, choose the same directory wherethe original Tomcat8 was installed, for example, C:\Tomcat8.

8. Stop the Apache Tomcat service after the installer completes.

9. Restore the backed up webapps and conf folders to the [Tomcat Home]directory and the web folder to the $VOYENCE_HOME directory.

10. Open a command prompt and navigate to the $TOMCAT_HOME\bin directory:

a. Execute Tomcat8w.exe //ES/Tomcat8.

b. On the Properties window, under the Java tab, in the Java Options section,add the following parameters if they do not exist.

l -XX:NewRatio=2l -XX:+DisableExplicitGCl -XX:+HeapDumpOnOutOfMemoryErrorl -XX:+UseConcMarkSweepGC



http://tomcat.apache.org/

l -XX:+CMSPermGenSweepingEnabledl -XX:+CMSClassUnloadingEnabledl -XX:MetaspaceSize=256ml -XX:MaxMetaspaceSize=256ml -Dcom.sun.management.jmxremote.port=3000l -Dcom.sun.management.jmxremote.authenticate=truel -Dcom.sun.management.jmxremote.ssl=falsel -Dcom.sun.management.jmxremote=truel -Dcom.sun.management.jmxremote.access.file=C:

\Tomcat8\conf\jmxremote.accessl -Dcom.sun.management.jmxremote.password.file=C:

\Tomcat8\conf\jmxremote.passwordl -Dweb.socketTimeout=1800000

Note

Change the $TOMCAT_HOME directory if it is different from C:\Tomcat8.

11. Check the jmxremote.password file permission.

Only Administrator can have the Read permission. Others such as SYSTEM andUSERS permission need to be removed.

Follow these steps to remove permissions for others and retain only Readpermission for Administrator:

l icacls jmxremote.password /remove:g SYSTEMl icacls jmxremote.password /remove:g USERSl icacls jmxremote.password /inheritance:r /grant:r

Administrators:(R)

12. Start the Apache Tomcat service.

Upgrading the Apache Tomcat Server on LinuxYou must run a version of Apache Tomcat Server that is compatible with the olderversion of Apache Tomcat Server used by Network Configuration Manager.

The following steps use Tomcat 8.5.31 as an example. Replace the version in theexamples with a newer version if applicable.

Procedure

1. Download the binary Core tar.gz distribution of Apache Tomcat Server 8.5.31from http://tomcat.apache.org/.

2. Extract the Tomcat 8.5.31 tar.gz archive into the /usr/tomcat directory.For example, gtar -zxvf apache-tomcat-8.5.31.tar.gz

3. Stop the Apache Tomcat service, if it is running. For example, service tomcatstop


Apache Tomcat Server upgrades 37

http://tomcat.apache.org/

4. Edit the /etc/voyence.conf file and modify the TOMCAT_HOME= line topoint to the new Tomcat directory. Change the TOMCAT_HOME line as shownbelow:

# Tomcat settingsTOMCAT_HOME=/usr/tomcat/apache-tomcat-8.5.31

5. Save and close the /etc/voyence.conf file.

6. Edit the /etc/passwd file and modify the home directory for the tomcat userto point to the new Tomcat directory.

tomcat:x:500:501:Tomcat Server:/usr/tomcat/apache-tomcat-8.5.31:/sbin/nologin

7. Copy the server.xml and tomcat-users.xml files from the old [TomcatHome]/conf directory to the new [Tomcat Home]/conf directory.

For example, cp -f apache-tomcat-8.5.27/conf/server.xml apache-tomcat-8.5.31/conf/server.xml

For example, cp -f apache-tomcat-8.5.27/conf/tomcat-users.xmlapache-tomcat-8.5.31/conf/tomcat-users.xml

8. Copy the old /usr/tomcat/apache-tomcat-8.5.27/.bash_profile tothe new tomcat location.

For example, cp -p /usr/tomcat/apache-tomcat-8.5.27/.bash_profile /usr/tomcat/apache-tomcat-8.5.31/.bash_profile

9. Edit the following parameters in /usr/tomcat/apache-tomcat-8.5.31/.bash_profile to point to the new Tomcat directory:

For example, -Dcom.sun.management.jmxremote.access.file=/usr/tomcat/apache-tomcat-8.5.31/conf/jmxremote.accessFor example, -Dcom.sun.management.jmxremote.password.file=/usr/tomcat/apache-tomcat-8.5.31/conf/jmxremote.password

10. Copy the jmxremote.access and jmxremote.password files from the old[Tomcat Home]/conf directory to the new [Tomcat Home]/confdirectory.

For example, cp /usr/tomcat/apache-tomcat-8.5.27/conf/jmxremote.access /usr/tomcat/apache-tomcat-8.5.31/conf/For example, cp /usr/tomcat/apache-tomcat-8.5.27/conf/jmxremote.password /usr/tomcat/apache-tomcat-8.5.31/conf/

11. Change the ownership of the jmxremote.access and jmxremote.password files.

For example, chown tomcat:tomcat jmxremote.accessFor example, chown tomcat:tomcat jmxremote.password

12. Copy the contents of the old [Tomcat Home]/webapps directory to the new[Tomcat Home]/webapps directory.

For example, execute this command, cd /usr/tomcat/apache-tomcat-8.5.27/webapps



And, then execute this command, cp -prf * /usr/tomcat/apache-tomcat-8.5.31/webapps/

13. Change the ownership of the new Tomcat directory and its contents totomcat:tomcatFor example, chown -R tomcat:tomcat apache-tomcat-8.5.31

14. Move the old tomcat to tomcat.old:

For example, mv apache-tomcat-8.5.27 apache-tomcat-8.5.27.old

15. Modify the TOMCAT_INSTALL_DIR and TOMCAT_HOME in thereportadvisor.properties file:

cd $VOYENCE_HOME/conf/setup/vi reportsadvisor.propertiesusermod -d /usr/tomcat/apache-tomcat-8.5.31 tomcat

16. Change the following lines to reflect the new tomcat version:TOMCAT_INSTALL_DIR=/usr/tomcat/apache-tomcat-8.5.31 andTOMCAT_HOME=/usr/tomcat/apache-tomcat-8.5.31

17. Save and close the reportadvisor.properties file.

18. Run the following command to reflect the new tomcat version:

usermod -d /usr/tomcat/apache-tomcat-8.5.31 tomcat

19. Start tomcat.

For example, Service tomcat start

Web Services hardeningThis section provides instructions for hardening web services used with NetworkConfiguration Manager.

Apache HTTP Server hardeningThe Apache HTTP Server settings can be adjusted to harden the security of theserver.

Adjust the hardening settings on each Application Server, Device Server, andCombination Server.

Removing the Group Write Bit from the Document Root DirectoryThe following steps will remove the group writable bit from the Apache HTTP Serverdocument root directory.

The following steps only apply to Linux.

Procedure

1. Change directories to [Product_Directory]/ui, where[Product_Directory] is the directory where Network ConfigurationManager is installed.

2. Run the following command using root privileges, chmod -R g-w,o-w html


Web Services hardening 39

Apache Tomcat Server hardeningThe Apache Tomcat Server settings can be adjusted to harden the security of theserver.

Removing the Default Web ApplicationsThe following steps will remove the documentation, examples, and managementinterface from the Tomcat web server. None of these are required for NetworkConfiguration Manager to operate.

The following steps must be performed on each Application Server and Device Server.

Procedure

1. Change directories to [Tomcat Directory]/webapps, where [TomcatDirectory] is the directory where Apache Tomcat is installed.

2. Delete the following directories, if they exist:

l balancer

l jsp-examples

l ROOT

l DOCS

l webdev

Communication hardeningThis section provides instructions for hardening communication services used withNetwork Configuration Manager.

Hardening the EMC Smarts Network Configuration Manager IntegrationAdapter for Smarts Manager

You can encrypt communications between the EMC Smarts Network ConfigurationManager Integration Adapter for Smarts Manager and the EMC Smarts programs.

You must configure communication settings for:

l Each instance of Service Assurance Manager and IP Availability Manager in theenvironment

l The Tomcat server in the Network Configuration Manager environment

Procedure

1. Go to the BASEDIR/smarts/local/conf directory of the Service Assuranceor IP Availability Manager whose communications you want to encrypt.

2. Open the runcmd_env.sh script.

3. Set the SM_INCOMING_PROTOCOL variable to SM_INCOMING_PROTOCOL=1,04. Set the SM_OUTGOING_PROTOCOL variable to SM_OUTGOING_PROTOCOL=1,05. Restart the EMC Smarts services in order for the changes to take effect.



6. Repeat this process for each instance of Service Assurance Manager and IPAvailability Manager that requires encrypted communication.

Enabling encryption for NCM Integration Adapter for EMC SmartsEnable the Network Configuration Manager Integration Adapter for EMC Smarts tosupport encrypted communication.

Procedure

1. Open the Tomcat file, /etc/init.d vc-smarts2. Type these lines after the CATALINA_HOME variable assignment:

#-------------------------# Enable Smarts EncryptionJAVA_OPTS="$JAVA_OPTS -Dcom.smarts.outgoing_protocol=1"export JAVA_OPTS#-------------------------

3. Restart Tomcat.

Troubleshooting and getting helpEMC support, product, and licensing information can be obtained as follows:

Product information — For documentation, release notes, software updates, orinformation about EMC products, go to EMC Online Support at: https://support.emc.com

Technical support — Go to EMC Online Support and click Service Center. You will seeseveral options for contacting EMC Technical Support. Note that to open a servicerequest, you must have a valid support agreement. Contact your EMC salesrepresentative for details about obtaining a valid support agreement or with questionsabout your account.


Troubleshooting and getting help 41

http://support.emc.com

http://support.emc.com

emc smarts network configuration manager security ...€¦ · emc® smarts® network configuration...

Documents