AppSync 4.0 Security Configuration Guide
AppSync 4.0 Security Configuration Guide
AppSync 4.0 Security Configuration Guide
Version 4.0
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property
of their respective owners. Published in the USA.
Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com
Tables 5
Preface 7
1 Typographical conventions..................................................................................................7
2 User views from the Dashboard.........................................................................................13
3 User Views from the Service Plan Console........................................................................ 14
4 Data Admin Copy Management operations ....................................................................... 14
5 ACL behavior with SQL Server databases......................................................................... 15
6 ACL behavior with Exchange............................................................................................. 16
7 ACL rules for Oracle.......................................................................................................... 16
8 ACL rules for VMWare Datastores.....................................................................................16
9 ACL behavior with File systems ........................................................................................ 17
10 Port requirements............................................................................................................. 19
11 LDAP server settings........................................................................................................ 24
12 User settings.....................................................................................................................24
13 Roles and permissions.......................................................................................................30
As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its
software and hardware. Therefore, some functions described in this document might not be
supported by all versions of the software or hardware currently in use. The product release notes
provide the most up-to-date information on product features.
Contact your Dell EMC technical support professional if a product does not function properly or
does not function as described in this document.
Note: This document was accurate at publication time. Go to https://support.emc.com to
ensure that you are using the latest version of this document.
Purpose
This document is part of the AppSync documentation set, and includes security information.
Audience
This guide is intended for use by customers and service providers to install and configure AppSync.
Related documentation
The following publications provide additional information:
l AppSync User and Administration Guide
l AppSync Installation and Configuration Guide
l AppSync Release Notes
Special notice conventions used in this document
Dell EMC uses the following conventions for special notices:
DANGER Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
WARNING Indicates a hazardous situation which, if not avoided, could result in death or
serious injury.
CAUTION Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
NOTICE Addresses practices not related to personal injury.
Typographical conventions
Dell EMC uses the following type style conventions in this document:
l System code
l System output, such as an error message or script
l Pathnames, filenames, prompts, and syntax
l Commands and options
l Introduction........................................................................................................................... 12
l Access Control overview........................................................................................................12
l Set logging level and data expiration time.............................................................................. 18
l Communication security settings........................................................................................... 19
l Add AppSync host plug-in (inbound) firewall rule..................................................................26
l Configure NginX for AppSync agent service..........................................................................27
l Security alert system settings............................................................................................... 29
l Other security settings..........................................................................................................30
Introduction
This section provides an overview of the settings available in the product to ensure secure
operation of the product
Security settings are split into the following categories:
l Access control setting describes settings available to limit access by end-user or by external
product components.
l Communication security settings describe settings related to security for the product network
communications.
l Data security settings describe settings available to ensure protection of the data handled by
the product.
l Log settings describe settings related to the logging of events.
l Security alert system settings describe settings related to sending security alerts and
notifications for the security-related events.
l Other security considerations describe security settings that may not fall in one of the previous
sections.
l Child application objects inherit any ACL applied to the parent. Review the following behavior
of the parent/child ACL model:
n When children are discovered they inherit the parent ACL.
n Users can be added to the ACL of a specific child.
n A child user can see the parent even if that user is not on the parent ACL. The child user
cannot perform any operations on the parent other than navigate (read-only access).
l Only Data Administrators who have the ACL Manager role have authority to grant or revoke
ACLs.
l Data Administrators without ACL Manager privilege can only view a service plans to
applications that they can access.
l Roles are cumulative. You gain all entitlements for each role to which you belong.
Service Plan Administrator View all report data and all alerts. ACLs do not
affect the role.
Data Administrator plus ACL Manager role Same view as the Service Plan Administrator
user.
Tab Affect
The following table lists possible operations that a Data Administrator can perform from the Copy
Management tab of the console.
SQL Server has a unique user database node that allows ACLs. This affects you only if
you have access to a contained database that is also covered by a subscription to the
user database. Although you can view a database and its subscription, you might not
be able to run the plan if the database subscription was made at the user database
level.
This occurs because a service plan subscription at that level behaves differently. For
example, the run discovers and protects new databases and since those databases
inherit the parent ACLs, users that can run the parent service plan must also be
included in the SQL Server Instance ACL.
a. User cannot run the service plan subscribed at the "user databases" level.
VM Datastores No NONE
4. In the Alerts and Report Data Expiration section, specify the amount of time to keep alerts
and report data in the following fields:
l Keep alerts for - specify a value and select the desired time period from the following
options:
n days
n weeks
n months
l Keep report generation data for - specify a value and select the desired time period
from the following options:
n days
n weeks
n months
5. Alternatively, you can click RESET ALL TO DEFAULT to restore the default values.
6. Click APPLY.
VMAX V2 l 5989
l Protocol: TCP to
Port
VMAX3/PowerMAX l 8443
l Protocol: HTTPs
VPLEX l 443
l Protocol: https
Unity l 443
l Protocol: TCP to
Port
to the AppSync
Windows host
plug-in.
to the AppSync
server).
l 5455: This port is
used by the
internal JMS
remoting service
(internal to the
AppSync server).
l 5432: This port is
used for
communication
between
Postgres SQL
and the AppSync
server.
Protocol: TCP to Port
In order to enable communication on TLS v1.2 only, you must install the latest Microsoft ODBC
Driver for SQL Server with qualified versions 11, 13, 13.1, and 17. You can specify your preferred
ODBC driver for connecting to SQL Instance using the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\AppSync]
"CC_SQL_SERVER_ODBC_DRIVER"="ODBC Driver 17 for
SQL Server"
For communication between AppSync server and Unix agent plug-in, JSCH 0.1.53 bundled with
AppSync Server and any OpenSSH version available on the agent host OS by default is used.
For communication between AppSync server and storage arrays, HTTPS is used along with TLS
v1.2. All REST requests or communications with the AppSync server use TLS v1.2.
LDAP configuration
For secure communications to occur between two networked entities such as AppSync and an
LDAP server, one entity must trust (that is, accept the certificate from) the other.
Networked entities that exchange data use certificates to authenticate each other.
When the certificate of an LDAP server is accepted or validated, AppSync records that certificate
as trusted. This ensures that AppSync trusts the LDAP server for subsequent connections.
You can choose to bypass certificate verification; however, you should do so only when you are
sure that AppSync is connecting to the correct LDAP server. If you bypass the certificate
verification process, AppSync cannot guarantee a secure connection with the LDAP server.
Note: OpenLDAP is not supported with AppSync.
5. Click Apply.
Setting Description
Authority Name Fully-qualified domain name that represents the root of the LDAP
directory tree. Use a period-separated format similar to that used in
DNS. This is translated to X.509 format. For example, ldap.emc.com is
translated to the X.509 format dc=ldap,dc=emc,dc=com.
Note: The domain name must not contain special characters. Refer
to Refer to KB Article 90380 available on the Dell EMC Support
website. Additionally, exceptions to the special characters rule
contained in MicroTsoft Article 909264 "Naming conventions in
Active Directory for computers, domains, sites, and OUs " do not
apply as stated in this article and should not be used in host names.
One value only.
LDAP Server IP address, hostname, or FQDN of the primary directory server to use
for authentication. The value you specify depends on the format of the
subject field entry in the directory server's certificate; typically this
requires a hostname. One value only.
Port Port number used by the directory server for LDAP communications. By
default, LDAP uses port 389 and LDAPS uses port 636.
Use LDAPS Select this option to use LDAPS for securing communication.
Protocol
Distinguished Name Indicates the administrator user who has privileges to connect to LDAP
for authentication. The DN can be expressed in Down-Level Logon
Name, User Principle Name, or RDN format. For example, if the fully
qualified domain name is mycompany.com, the DN can be expressed as,
mycompany\administrator, [email protected] or
cn=administrator,cn=users,dc=mycompany,dc=com.
Certificate File File containing the SSL certificate issued from the AD server, required
to enable SSL communications to the AD server.
Note: You must manually copy the certificate file to the AppSync
server.
User settings
Specific settings are required to set up access to LDAP.
Setting Description
User ID Attribute Name of the LDAP attribute whose value indicates the user ID (for
example, sAMAccountName).
Setting Description
User Object Class LDAP object class for users (for example, user in Active Directory).
User Search Path Path to search for users on the directory server, for example, cn=users,
dc=mycompany, dc=com
Note:
l LDAP users must be registered in AppSync.
3. Convert the TPA certificate and private key into a keystore file using OpenSSL. You might
have to install OpenSSL, if you are a Windows user.
4. From the command prompt, type the following command to delete the existing alias from
the AppSync keystore:
5. From the command prompt, type the following command to import the new keystore file to
the AppSync keystore:
<AppSync-installation>\jboss\_jre\bin\keytool -importkeystore -
deststorepass changeit -destkeypass changeit -destkeystore <AppSync-
installation>\jboss\standalone\configuration\cas.jks -srckeystore
<keystore-name> -srcstoretype PKCS12 -srcstorepass <source-keystore-
password> -alias appsync
6. From the command prompt, type the following command to import the new certificate to
the Java keystore:
7. Start the EMC AppSync Security Server service and the EMC AppSync Server service.
8. If import fails, do the following:
a. Copy the backed up cas.crt and cas.jks files to the original location (<AppSync-
installation>\jboss\standalone\configuration).
b. Start the AppSync services.
6. Right-click the AppSync Host Plug-in (Inbound) rule, and select Properties.
The AppSync Host Plug-in (Inbound) Properties dialog appears.
7. Click Scope and select These IP addresses under Remote IP address.
8. Click Add to specify the AppSync server address.
Alternatively, you can use the command line interface to create your own AppSync host
plug-in (inbound) firewall rule.
For example, if the AppSync server IP address is 10.247.182.163 and the AppSync agent port
is 10004, type the following command:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 127.0.0.1:10005;
}
server {
listen 10004;
proxy_pass stream_backend;
allow 10.247.172.240;
deny all;
}
}
In this scenario, the AppSync server IP address is 10.247.172.240 and the AppSync agent is
listening on port 10004. Stream is an NginX directive, and by default listens to the TCP
protocol. AppSync listens to AppSync agent port 10004, and redirects the request to
another free port (for example, 10005).
stream {
upstream stream_backend {
server 127.0.0.1:10005;
}
server {
listen 10004;
proxy_pass stream_backend;
You can use the NginX directive allow to specify the IP address of the AppSync server or
any other server that must contact port 10004. You can use the deny directive to deny
requests from all other machines.
4. After you modify the configuration (nginx.conf) file, open command prompt and navigate
to the NginX install location and type the following command to reload the NginX
configuration file:
nginx –s reload
c. Click Allow another app, and browse to the install location to add NginX.
d. Select the nginx.exe file and click Open.
e. Click Add.
The NginX application is added to the Windows firewall.
6. Configure the AppSync agent.
a. Update the AppSync agent with the port to which NginX redirects requests from the
AppSync server.
a. Run regedit.msc.
b. Go to HKEY_Local_Machine> Software> EMC> AppSync.
c. Modify the CC_DEFAULT_PORT key to the redirected port.
b. From the command prompt, type the following command to create a firewall rule to block
connections on port 10005 from other servers:
3. Alternatively, you can click RESET ALL TO DEFAULT to restore the default values.
4. Click Apply.
To validate the settings, click SEND TEST EMAIL, enter the recipient's email address and
then click OK. The recipient's mailbox should receive a test email from AppSync.
3. Select Notify Service Plan Success to receive notifications on the successful completion
of service plans.
4. Select Notify For On Demand Success to receive notifications on the completion or failure
of on-demand jobs.
5. Click APPLY.
User management
You can set up AppSync to have multiple users. Each user can be assigned one or more roles that
correspond to their responsibilities and requirements.
You can create users that are local to AppSync, and optionally add LDAP users.
Role Permissions
Role Permissions
l Data Administrator
l Resource Administrator
l Security Administrator
l ServicePlan Administrator
If you want to assign an ACL Manger role to another user, select Data Administrator, and
then click Enable ACL Management. ACL Managers must also be assigned the Data
Administrator role.
Note: If you want to assign yourself as an ACL Manager, assign the Data Administrator
role first, log out and then log in again.
5. Click OK.
5. Click OK.
Modifying a user
You can add or remove a user and change a user's role and password.
Before you begin
This operation requires the Security Administrator role in AppSync.
Procedure
1. Select Settings > User and Roles.
2. Select the username to modify and choose an action from the available buttons: ADD,
REMOVE, RESET PASSWORD, or CHANGE ROLE.
If you want to change your role to enable the ACL Manager Role check Enable ACL
Management in the Change Role page. Also select the Data Administrator role as this role
is required to obtain ACL Manager permissions.