• Security Maintenance

    PDF

    Security Maintenance

    This chapter describes a variety of security maintenance features implemented on the storage system.

    Topics include:

    Secure maintenance

    The storage system provides the following secure functions for performing remote system maintenance and update tasks:

    • License activation
    • Software upgrade
    • Software Hotfixes

    License update

    The license update feature allows users to obtain and install licenses for specific storage system functionality. Table 1 shows security features that are associated with the license update feature.

    Table 1. License update security features
    Process
    Security
    Obtaining licenses from the EMC Online Support website
    License acquisition is performed from within an authenticated session on the EMC Online Support website.
    Receiving license files
    Licenses are sent to an email address specified within an authenticated EMC Online Support website transaction.
    Uploading and installing licenses through Unisphere client to the storage system
    • License file uploads to the storage system occur within Unisphere sessions authenticated through HTTPS.
    • The storage system validates received license files using digital signatures. Each licensed feature is validated by a unique signature within the license file.

    Software upgrade

    The storage system software update feature allows users to obtain and install software for upgrading or updating the software running on the storage system. Table 2 shows security features that are associated with the storage system software upgrade feature.

    Table 2. Software upgrade security features
    Process
    Description
    Downloading storage system software from the EMC Online Support website
    License acquisition is performed from within an authenticated session on the EMC Online Support website.
    Uploading storage system software
    Software upload to the storage system occurs within an authenticated Unisphere session through HTTPS.

    EMC Secure Remote Services for your storage system

    The EMC Secure Remote Services (ESRS) feature provides your authorized service provider with remote access capabilities to your storage system using a secure and encrypted tunnel. For outbound access, the storage system management IP network must allow outbound and inbound HTTPS traffic. The secure tunnel that ESRS establishes between the storage system device and authorized systems on the Support Center network can also be used to transfer files out to the storage system or transfer files back to the Support Center’s network.

    Two remote service options are available by which to send storage system information to the Support Center for remote troubleshooting:

    • Centralized ESRS Virtual Edition (VE)
    • Integrated ESRS (physical deployments only)
    Centralized EMC Secure Remote Services

    Centralized ESRS runs on a gateway server. When you select this option, your storage system is added to other storage systems in an ESRS cluster. The cluster resides behind a single common (centralized) secure connection between Support Center servers and an off-array ESRS Gateway. The ESRS Gateway is the single point of entry and exit for all IP-based ESRS activities for the storage systems associated with the gateway.

    The ESRS Gateway is a remote support solution application that is installed on one or more customer-supplied dedicated servers. The ESRS Gateway functions as a communication broker between the associated storage systems, Policy Manager (optional) and proxy servers (optional), and the Support Center. Connections to the Policy Manager and associated proxy servers are configured through the ESRS Gateway interface along with add (register), modify, delete (unregister), and querying status capabilities that ESRS clients can use to register with the ESRS Gateway.

    For more information about ESRS Gateway and Policy Manager, go to the EMC Secure Remote Services product page on EMC Online Support (https://support.emc.com).

    Integrated EMC Secure Remote Services (physical deployments only)
    This feature may not be available in your implementation.

    Integrated ESRS runs directly on your storage system. When you select this option, your storage system sets up a secure connection between itself and Support Center servers. The Integrated remote service option can be configured as either outbound only or outbound/inbound, which is the default. The outbound only configuration enables remote service connectivity capability for remote transfer to the Support Center from the storage system. The outbound/inbound configuration enables remote service connectivity capability for remote transfer to and remote transfer from the Support Center with the storage system. When the outbound/inbound configuration option is selected, the connection from the storage system to an optional Policy Manager and any associated proxy servers must be configured through either Unisphere or the CLI.