Contents

Dell PowerProtect 19.11 Data Manager Security Configuration Guide PDF

1 of 87
1 of 87

Summary of Content for Dell PowerProtect 19.11 Data Manager Security Configuration Guide PDF

PowerProtect Data Manager 19.11 Security Configuration Guide

June 2022 Rev. 01

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid

the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

2016 - 2022 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.

Tables........................................................................................................................................... 6

Disclaimer.....................................................................................................................................................................................7 Preface.........................................................................................................................................................................................8

Chapter 1: Introduction................................................................................................................ 12 About this guide................................................................................................................................................................. 12 Introducing the PowerProtect Data Manager software...........................................................................................13 Supported Internet Protocol versions...........................................................................................................................14 Managing authentication and authorization................................................................................................................ 14 Roadmap.............................................................................................................................................................................. 14

Chapter 2: Authentication............................................................................................................16 Component access control.............................................................................................................................................. 16 Log in to PowerProtect Data Manager........................................................................................................................ 16 Log in to the PowerProtect Data Manager REST API.............................................................................................. 17 User and credential management...................................................................................................................................17

Preloaded accounts and default credentials..........................................................................................................17 Common password policy.......................................................................................................................................... 18 Managing local identity provider users................................................................................................................... 19 Configure password complexity and expiration................................................................................................... 22

Login security settings..................................................................................................................................................... 23 Configure failed UI login behavior............................................................................................................................23 Operating system expired password behavior..................................................................................................... 24 Operating system expired password impacts.......................................................................................................26

Authentication types and setup.....................................................................................................................................26 Identity providers.............................................................................................................................................................. 26

Managing external identity providers..................................................................................................................... 27 Configure an external identity provider..................................................................................................................27 Edit an external identity provider............................................................................................................................ 28 Delete an external identity provider........................................................................................................................29 Example: configuring an AD identity provider ..................................................................................................... 29 Example: configuring an LDAP identity provider................................................................................................. 30 Troubleshooting LDAP configuration issues......................................................................................................... 30

Authentication to external systems...............................................................................................................................31 Credential security....................................................................................................................................................... 31 Remote component authentication.........................................................................................................................32 Protection engine and Search Engine node authentication.............................................................................. 33

Chapter 3: Authorization............................................................................................................. 36 Default authorizations...................................................................................................................................................... 36 External authorization associations.............................................................................................................................. 36

Add identity provider group-to-role mapping....................................................................................................... 36 Modify identity provider group-to-role mapping..................................................................................................37 Delete identity provider group-to-role mapping.................................................................................................. 38

Role-based access control (RBAC).............................................................................................................................. 39

Contents

Contents 3

Roles............................................................................................................................................................................... 39 System-provided roles and associated privileges................................................................................................39 Role privilege definitions............................................................................................................................................ 42

Scopes of authority.......................................................................................................................................................... 45 Example: protecting and isolating confidential information with scopes of authority................................46 Example: providing self-service restores with scopes of authority................................................................ 46

Resources and resource groups.....................................................................................................................................47 Create a resource group............................................................................................................................................48 Edit a resource group................................................................................................................................................. 49 Delete a resource group............................................................................................................................................. 51

Chapter 4: Log Settings.............................................................................................................. 52 Authentication Server logging........................................................................................................................................52 Add a log bundle................................................................................................................................................................ 52 Server monitoring with syslog........................................................................................................................................52

Configure TLS for syslog forwarding......................................................................................................................53 Configure the syslog server......................................................................................................................................53 Troubleshooting the syslog connection................................................................................................................. 54

Chapter 5: Network and Communication Security Settings......................................................... 55 Port usage...........................................................................................................................................................................55 Communications security settings................................................................................................................................ 60

Virtual networks (VLANs)......................................................................................................................................... 60 Configure SSH session timeout................................................................................................................................ 61 Configure REST API token lifespans....................................................................................................................... 61

PowerProtect Data Manager firewall support........................................................................................................... 62 Modify firewall rules....................................................................................................................................................62

Chapter 6: Data Security Settings...............................................................................................64 Data storage security settings....................................................................................................................................... 64

Protection engine settings........................................................................................................................................ 64 Encrypting sensitive data................................................................................................................................................ 64 Backup and restore encryption......................................................................................................................................64

Enable backup and restore encryption...................................................................................................................65 Audit logging and monitoring system activity............................................................................................................ 66

Configuring the audit service................................................................................................................................... 66 Viewing audit events in the UI..................................................................................................................................67 View and manage alerts............................................................................................................................................. 67 Export audit logs ........................................................................................................................................................ 68

Configure compliance verification.................................................................................................................................68

Chapter 7: Cryptography.............................................................................................................69 Security certificates......................................................................................................................................................... 69

Protection engines and security certificates........................................................................................................ 70 Application agents and security certificates.........................................................................................................70 Application agent security certificate files............................................................................................................ 70 Exchange the PowerProtect Data Manager security certificate with external components................... 70 Import security certificates for external components through the REST API.............................................. 71

PowerProtect Data Manager certificate management............................................................................................ 72

4 Contents

Virtual networks........................................................................................................................................................... 73 Replace security certificates through the UI........................................................................................................ 73 Replace security certificates with the CLI tool.................................................................................................... 74 Reinstall the PowerProtect plug-in for the vSphere client .............................................................................. 74 Restart the web service.............................................................................................................................................75 Exchange the new security certificates with vCenter for SPBM....................................................................75

Chapter 8: Security Updates and Patching.................................................................................. 77 Security updates and patching.......................................................................................................................................77 Update the Velero or OADP version used by PowerProtect Data Manager.......................................................77

Chapter 9: Authenticity and Integrity.......................................................................................... 79 About product authenticity and integrity.................................................................................................................... 79 Verification.......................................................................................................................................................................... 79

Verify the signer or signers for Windows binaries............................................................................................... 79 Verify the vendor for Linux (RPM-based) packages..........................................................................................80 Verify the vendor for Linux (Debian-based) packages...................................................................................... 80 Verify GPG signatures for Linux (RPM-based) packages.................................................................................80 Verify the signature for JAR files............................................................................................................................. 81 Verify SHA-256 checksums in Windows................................................................................................................ 81 Verify SHA-256 checksums in Linux.......................................................................................................................82 Verify SHA-256 checksums in AIX..........................................................................................................................82

Chapter 10: Miscellaneous Configuration and Management Elements.......................................... 83 Licensing..............................................................................................................................................................................83 Installing client software..................................................................................................................................................83 Application and application data backups....................................................................................................................83

Appendix A: REST API Procedures...............................................................................................84 Manual certificate replacement..................................................................................................................................... 84

Prepare a public certificate and private key from a keystore...........................................................................84 Manually install a custom security certificate through the REST API............................................................85

Change a local user password through the REST API............................................................................................. 86 Configure compliance verification through the REST API...................................................................................... 87

Contents 5

1 Revision history.......................................................................................................................................................... 8

2 Related documentation.............................................................................................................................................9

3 Style conventions..................................................................................................................................................... 10

4 Key features...............................................................................................................................................................13

5 Benefits....................................................................................................................................................................... 13

6 Linux operating system preloaded accounts......................................................................................................18

7 PowerProtect Data Manager software preloaded accounts......................................................................... 18

8 Identity provider attributes....................................................................................................................................27

9 Default attribute values..........................................................................................................................................28

10 Role privileges...........................................................................................................................................................40

11 Monitoring privileges...............................................................................................................................................42

12 Security and system audit privileges...................................................................................................................42

13 Support assistance and log management privileges....................................................................................... 42

14 User and security management privileges......................................................................................................... 43

15 System management privileges............................................................................................................................43

16 Asset management privileges............................................................................................................................... 43

17 Storage management privileges........................................................................................................................... 44

18 Protection policy privileges................................................................................................................................... 44

19 Recovery and reuse management privileges.....................................................................................................44

20 SLA compliance management privileges............................................................................................................ 45

21 Copy management privileges................................................................................................................................45

22 Resource group privileges..................................................................................................................................... 45

23 Resource groups...................................................................................................................................................... 46

24 Scopes of authority.................................................................................................................................................46

25 Resource groups...................................................................................................................................................... 47

26 Scopes of authority................................................................................................................................................. 47

27 PowerProtect Data Manager port requirements............................................................................................. 55

28 Supported workloads..............................................................................................................................................65

Tables

6 Tables

Disclaimer THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS-IS." DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. In no event shall Dell Technologies, its affiliates or suppliers, be liable for any damages whatsoever arising from or related to the information contained herein or actions that you decide to take based thereon, including any direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell Technologies, its affiliates or suppliers have been advised of the possibility of such damages.

The Security Configuration Guide intends to be a reference. The guidance is provided based on a diverse set of installed systems and may not represent the actual risk/guidance to your local installation and individual environment. It is recommended that all users determine the applicability of this information to their individual environments and take appropriate actions. All aspects of this Security Configuration Guide are subject to change without notice and on a case-by-case basis. Your use of the information contained in this document or materials linked herein is at your own risk. Dell reserves the right to change or update this document in its sole discretion and without notice at any time.

Reporting vulnerabilities Dell takes reports of potential vulnerabilities in our products very seriously. For the latest on how to report a security issue to Dell, please see the Dell Vulnerability Response Policy on Dell.com.

Disclaimer 7

Preface As part of an effort to improve product lines, periodic revisions of software and hardware are released. Therefore, all versions of the software or hardware currently in use might not support some functions that are described in this document. The product release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in this document, contact Customer Support.

NOTE: This document was accurate at publication time. To ensure that you are using the latest version of this document,

go to the Customer Support website.

Product naming Data Domain (DD) is now PowerProtect DD. References to Data Domain or Data Domain systems in this documentation, in the user interface, and elsewhere in the product include PowerProtect DD systems and older Data Domain systems. In many cases the user interface has not yet been updated to reflect this change.

Language use This document might contain language that is not consistent with Dell Technologies current guidelines. Dell Technologies plans to update the document over subsequent future releases to revise the language accordingly.

This document might contain language from third-party content that is not under Dell Technologies control and is not consistent with the current guidelines for Dell Technologies own content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.

Website links The website links used in this document were valid at publication time. If you find a broken link, provide feedback on the document, and a Dell Technologies employee will update the document as necessary.

Purpose This guide describes security information related to the installation, configuration, administration and use of Dell PowerProtect Data Manager.

Audience This document is intended for the host system administrator who will be involved in managing, protecting, and reusing data across the enterprise by deploying PowerProtect Data Manager.

Revision history The following table presents the revision history of this document.

Table 1. Revision history

Revision Date Description

01 June 21, 2022 Initial release of this document for PowerProtect Data Manager version 19.11.

8 Preface

Compatibility information Software compatibility information for the PowerProtect Data Manager software is provided by the E-Lab Navigator.

Related documentation The following publications are available at Customer Support and provide additional information:

Table 2. Related documentation

Title Content

PowerProtect Data Manager Administration and User Guide Describes how to configure the software.

PowerProtect Data Manager Deployment Guide Describes how to deploy the software.

PowerProtect Data Manager Licensing Guide Describes how to license the software.

PowerProtect Data Manager Release Notes Contains information about new features, known limitations, environment, and system requirements for the software.

PowerProtect Data Manager Security Configuration Guide Contains security information.

PowerProtect Data Manager Amazon Web Services Deployment Guide

Describes how to deploy the software to Amazon Web Services (AWS).

PowerProtect Data Manager Azure Deployment Guide Describes how to deploy the software to Microsoft Azure.

PowerProtect Data Manager Google Cloud Platform Deployment Guide

Describes how to deploy the software to Google Cloud Platform (GCP).

PowerProtect Data Manager Cloud Disaster Recovery Administration and User Guide

Describes how to deploy Cloud Disaster Recovery (Cloud DR), protect virtual machines in the AWS or Azure cloud, and run recovery operations.

PowerProtect Data Manager Cyber Recovery User Guide Describes how to install, update, patch, and uninstall the PowerProtect Cyber Recovery software.

PowerProtect Data Manager File System User Guide Describes how to configure and use the software with the File System agent for file-system data protection.

PowerProtect Data Manager Kubernetes User Guide Describes how to configure and use the software to back up and restore namespaces and PVCs in a Kubernetes cluster.

PowerProtect Data Manager Microsoft Exchange Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft Exchange Server environment.

PowerProtect Data Manager Microsoft SQL Server User Guide

Describes how to configure and use the software to back up and restore the data in a Microsoft SQL Server environment.

PowerProtect Data Manager Oracle RMAN User Guide Describes how to configure and use the software to back up and restore the data in an Oracle Server environment.

PowerProtect Data Manager SAP HANA User Guide Describes how to configure and use the software to back up and restore the data in an SAP HANA Server environment.

PowerProtect Data Manager Storage Direct User Guide Describes how to configure and use the software with the Storage Direct agent to protect data on VMAX storage arrays through snapshot backup technology.

PowerProtect Data Manager Network Attached Storage User Guide

Describes how to configure and use the software to protect and recover the data on network-attached storage (NAS) shares and appliances.

PowerProtect Data Manager Virtual Machine User Guide Describes how to configure and use the software to back up and restore virtual machines and virtual-machine disks (VMDKs) in a vCenter Server environment.

Preface 9

Table 2. Related documentation (continued)

Title Content

VMware Cloud Foundation Disaster Recovery With PowerProtect Data Manager

Provides a detailed description of how to perform an end-to- end disaster recovery of a VMware Cloud Foundation (VCF) environment.

PowerProtect Data Manager Public REST API documentation Contains the Dell Technologies APIs and includes tutorials to guide you in their use.

vRealize Automation Data Protection Extension for Data Protection Systems Installation and Administration Guide

Describes how to install, configure, and use the vRealize Data Protection Extension.

Typographical conventions The following type style conventions are used in this document:

Table 3. Style conventions

Formatting Description

Bold Used for interface elements that a user specifically selects or clicks, for example, names of buttons, fields, tab names, and menu paths. Also used for the name of a dialog box, page, pane, screen area with title, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for: System code System output, such as an error message or script Pathnames, file names, file name extensions, prompts, and syntax Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means or for the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from the example.

You can use the following resources to find more information about this product, obtain support, and provide feedback.

Where to find product documentation The Customer Support website The Community Network

Where to get support The Customer Support website provides access to product licensing, documentation, advisories, downloads, and how-to and troubleshooting information. The information can enable you to resolve a product issue before you contact Customer Support.

To access a product-specific page:

1. Go to the Customer Support website. 2. In the search box, type a product name, and then from the list that appears, select the product.

10 Preface

Knowledgebase The Knowledgebase contains applicable solutions that you can search for either by solution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:

1. Go to the Customer Support website. 2. On the Support tab, click Knowledge Base. 3. In the search box, type either the solution number or keywords. Optionally, you can limit the search to specific products by

typing a product name in the search box, and then selecting the product from the list that appears.

Live chat To participate in a live interactive chat with a support agent:

1. Go to the Customer Support website. 2. On the Support tab, click Contact Support. 3. On the Contact Information page, click the relevant support, and then proceed.

Service requests To obtain in-depth help from a support agent, submit a service request. To submit a service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests.

NOTE: To create a service request, you must have a valid support agreement. For details about either an account or

obtaining a valid support agreement, contact a sales representative. To find the details of a service request, in the

Service Request Number field, type the service request number, and then click the right arrow.

To review an open service request:

1. Go to the Customer Support website. 2. On the Support tab, click Service Requests. 3. On the Service Requests page, under Manage Your Service Requests, click View All Dell Service Requests.

Online communities For peer contacts, conversations, and content on product support and solutions, go to the Community Network. Interactively engage with customers, partners, and certified professionals online.

How to provide feedback Feedback helps to improve the accuracy, organization, and overall quality of publications. You can send feedback to DPAD.Doc.Feedback@emc.com.

Preface 11

Introduction

Topics:

About this guide Introducing the PowerProtect Data Manager software Supported Internet Protocol versions Managing authentication and authorization Roadmap

About this guide This guide provides an overview of security configuration settings available in PowerProtect Data Manager, secure deployment, and physical security controls that are required to ensure the secure operation of the product.

Authentication Authentication describes the settings, configuration options, and means by which users and external systems identify themselves to PowerProtect Data Manager.

Authorization Authorization describes how PowerProtect Data Manager maps an authenticated user or external system to a level of access or permissions. More broadly, authentication describes what users are allowed to do.

Log Settings A log is a chronological record that helps you to examine the sequence of activities surrounding or leading up to an operation, procedure, or event in a security-related transaction from beginning to end. This chapter describes how to access and manage the logs files available in PowerProtect Data Manager.

Network and Communication Security Settings

Communication security settings enable the establishment of secure communication channels between PowerProtect Data Manager components, PowerProtect Data Manager components and external systems, and PowerProtect Data Manager components and external components. This chapter describes the PowerProtect Data Manager uses secure channels for communication and how to configure PowerProtect Data Manager in a firewall environment.

Data Security Settings

Data security settings enable you to define controls that prevent unauthorized access and disclosure of data that is permanently stored by PowerProtect Data Manager. This chapter describes the settings available to ensure the protection of the data that is handled by PowerProtect Data Manager.

Cryptography This chapter describes the cryptographic options and components for PowerProtect Data Manager, including how to manage the security certificates in use.

Security Updates and Patching

Instructions for obtaining and applying updates and patches for the PowerProtect Data Manager software. Where applicable, these instructions include how to apply off-cycle updates for specific components.

Authenticity and Integrity

Information and instructions that enable you to verify PowerProtect Data Manager and its downloads before deployment or installation. Verification typically happens through methods such as digital signatures and checksums.

Miscellaneous Configuration and Management Elements

This chapter contains all other topics that do not fall into one of the earlier categories.

REST API procedures

This appendix describes other ways that you can accomplish some goals for which the preferred instructions use the web user interface (UI) or the command-line interface (CLI).

1

12 Introduction

Introducing the PowerProtect Data Manager software PowerProtect Data Manager software is an enterprise solution that provides software-defined data protection, deduplication, operational agility, self-service, and IT governance.

PowerProtect Data Manager key features include the following:

Table 4. Key features

Software-defined data protection with integrated deduplication, replication, and reuse

Data backup and recovery self-service operations from native applications that are combined with central IT governance

Multicloud optimization with integrated Cloud Tiering

SaaS-based monitoring and reporting

Modern services-based architecture for ease of deployment, scaling, and updating

PowerProtect Data Manager integrates multiple data-protection products within the Data Protection portfolio to enable data protection as a service, providing the following benefits:

Table 5. Benefits

Enables data-protection teams to create data paths with provisioning, automation, and scheduling to embed protection engines into their data-protection infrastructure for high-performance backup and recovery

Enables backup administrators of large-scale environments to schedule backups for the following asset types from a central location on the PowerProtect Data Manager server: VMware virtual machines File systems VMAX storage groups Kubernetes clusters Microsoft Exchange Server and Microsoft SQL Server databases Oracle databases SAP HANA databases Network-attached storage (NAS) shares

Provides an agent-based approach to automatically discover and protect databases on an application server

Enables self-service and centralized protection by: Monitoring service-level objectives (SLOs) Identifying violations of recovery-point objectives (RPOs)

Supports deploying an external VM Direct appliance that moves data with a VM Direct Engine that is optimized for performing high-capacity backup streams

Comes with a basic embedded VM Direct Engine that has the following functions and capabilities: It is automatically used as a fallback proxy for performing backup and restore operations when an external VM Direct

Engine fails, is disabled, or is unavailable It has a limited capacity for performing backup streams It can work with virtual-machine crash-consistent protection policies that use the Transparent Snapshot Data Mover

(TSDM) protection mechanism It enables the Search Service used by PowerProtect Search

Supports PowerProtect Search, which enables backup administrators to quickly search for and restore VM and NAS file copies

Supports the vRealize Automation DP extension, which enables the automatic provisioning of virtual machines and on-demand backups and restores

Integrates with Cloud Disaster Recovery (Cloud DR), including workflows for Cloud DR deployment, protection, and recovery operations in the AWS and Azure clouds

Integrates with PowerProtect Cloud Snapshot Manager to view PowerProtect Cloud Snapshot Manager jobs, alerts, and reports from a consolidated PowerProtect Data Manager dashboard

Introduction 13

Table 5. Benefits (continued)

Integrates with PowerProtect Cyber Recovery to protect the integrity of a PowerProtect Data Manager environment from cyber threats

Provides a RESTful API interface that allows PowerProtect Data Manager to be monitored, configured, and orchestrated: Existing automation frameworks can be integrated New scripts can be quickly written Easy-to-follow tutorials are provided

Supported Internet Protocol versions PowerProtect Data Manager only supports the use of IPv4 addresses.

Using an IPv6 address can result in errors or other unexpected behavior. When configuring devices to connect over the network with PowerProtect Data Manager, use only IPv4 addresses.

Managing authentication and authorization PowerProtect Data Manager provides a security model which controls authentication and authorization through several smaller building blocks.

Users and groups are defined by the local identity provider or by an external identity provider and group mapping. These sources are the means by which users identify themselves to PowerProtect Data Manager. Authentication provides more information about identity providers and about managing users and groups.

After authentication, each user or group has at least one assigned role. A role delegates authorization from the system administrator to users by associating a set of privileges which define the tasks that the user can perform. You assign a role to a user or a group as part of creating or modifying the user or group. Role-based access control (RBAC) provides information about roles and role assignments.

By default, users and groups with specified roles operate on resources across the PowerProtect Data Manager environment. However, as part of creating or modifying users and groups, you can narrow the applicability of an assigned role. Scopes of authority provides more information about defining scopes of authority under which users operate, and the related structures. Resource groups enable you to assign responsibility and access for specific assets to individual users.

Roadmap For new deployments, the following steps describe a recommended course of security-related events. Some steps such as external identity providers may not apply to all environments.

Steps

1. Review the port requirements and configure environment connectivity, as required.

Port usage provides more information.

2. Set up an email server.

The PowerProtect Data Manager Administration and User Guide provides instructions. The email server is partly used for email related to password expiration and resetting passwords.

3. Update the contact information for the admin user to include a working email address for password-related notification.

User and credential management provides instructions.

4. Change the self-signed security certificates.

Security certificates and PowerProtect Data Manager certificate management provide instructions.

5. Configure an external identity provider.

Authentication types and setup and Managing external identity providers provide instructions.

6. Review the PowerProtect Data Manager roles.

Role-based access control (RBAC) provides more information.

7. Review information about scopes of authority, and then plan the security use cases.

14 Introduction

Scopes of authority provides more information.

8. Create resource groups to protect stored data.

Resources and resource groups provides instructions.

9. Add local users and change the local user passwords. Assign local users to a PowerProtect Data Manager role and create applicable scopes of authority.

User and credential management provides instructions.

10. Map external identity provider users to a PowerProtect Data Manager role and create applicable scopes of authority.

External authorization associations provides instructions.

Next steps

Complete any other security tasks that apply to your environment.

Introduction 15

Authentication Authentication describes the settings, configuration options, and means by which users and external systems identify themselves to PowerProtect Data Manager.

Topics:

Component access control Log in to PowerProtect Data Manager Log in to the PowerProtect Data Manager REST API User and credential management Login security settings Authentication types and setup Identity providers Authentication to external systems

Component access control Component access control settings define how to control external and internal systems or component access to the product.

PowerProtect Data Manager uses validated tokens to provide secure operations and data transfer between components.

Only authenticated users can use the UI to perform operations. When a user logs in to the UI, the user verification process, or requestor contacts the Authentication Service to verify the credentials of the user account. When the Authentication Service successfully verifies the user, the application issues a token to the requestor. All the PowerProtect Data Manager components that require authentication can use the token to verify the user. After the Authentication Service authenticates the user by using the token, the Authentication Service determines the level of authorization that the user has to perform the requested operation.

Log in to PowerProtect Data Manager When you log in to the PowerProtect Data Manager UI, provide an active username and password.

Usernames follow the format user[@domain], where domain is an optional identifier that associates the user with a particular identity provider.

For example: jsmith or administrator@test-lab.

If you do not supply a domain, the authentication service checks the default identity provider. If you supply a domain, the authentication service consults the external identity provider for that domain and determines

whether to allow the login.

Domains are case-sensitive. Supply the domain with the same capitalization that was used when configuring the identity provider. Otherwise, you may receive error messages such as 500: Resources cannot be retrieved.

When the identity provider validates the credentials, the authentication service issues a user token. The PowerProtect Data Manager UI uses the token information to authorize activities.

Unless you have changed the system configuration, the default identity provider is the local identity provider.

NOTE:

If the user interface is left unattended for more than 30 minutes and times out, the login page might display with the error

503: Unknown Error. If this occurs, dismiss the error and log in again with your username and password.

2

16 Authentication

If you log in with an expired password, reset the password immediately. Clicking Cancel, closing the browser, or navigating

away from the page before changing your password disables your credentials for subsequent logins. To re-enable your

credentials, Change a local user password through the REST API provides instructions.

Log in to the PowerProtect Data Manager REST API When you log in to the PowerProtect Data Manager REST API, provide an active username and password. Usernames and domains follow the same format as for the PowerProtect Data Manager UI.

Use curl or a REST API client of your choice to log in to the PowerProtect Data Manager REST API as a user with the appropriate role:

POST https://{{server}}:{{port}}/api/v2/login

Headers: Content-Type: application/json Request Payload: { "username": "{{username}}", "password": "{{password}}" } where:

{{server}} is the FQDN or IP address for the PowerProtect Data Manager server. {{port}} is the REST API port, typically 8443. {{username}} and {{password}} are the PowerProtect Data Manager REST API credentials.

When you successfully log in, you receive an access token from the REST API service:

200 OK { "access_token": "eyJraWQiOiJkMjc5M", "token_type": "Bearer", "expires_in": 28800, "jti": "dadda4ef-c4ad-4153-9bee-82f5ad69c75a", "scope": "aaa", "refresh_token": "eyJraWQiOiJkMjc5M" } Record the access_token value for future REST API calls but protect this access token like a set of credentials. The token in this example is simplified for clarity and space.

User and credential management These topics describe how to work with local accounts. This includes a list of accounts which exist from deployment, as well as how to manage user accounts, change passwords, and secure credentials.

Preloaded accounts and default credentials

This topic describes the local identity provider user accounts that come with a default PowerProtect Data Manager installation and any applicable default credentials.

Most default credentials exist only for the period between deployment and initial configuration. Use the Change required column to identify credentials that you must replace during the configuration process.

The Purposes column identifies the expected uses for each entry. The Actions column identifies points where customer interaction is required.

Linux operating system

This table describes accounts for accessing the Linux operating system on which PowerProtect Data Manager runs.

Authentication 17

Table 6. Linux operating system preloaded accounts

Account or credential

Default password Expiry interval Change required Purposes Actions

root changeme 60 days Yes Provides root privilege elevation for commands.

N/A

support $upp0rt! 60 days Yes Controls SSH access to system console.

N/A

admin @ppAdm1n 60 days Yes Controls SSH access to system console.

N/A

Even if you disable Use common password to set different component passwords during deployment, the configuration process sets the same password for each of the operating system accounts.

PowerProtect Data Manager software

This table describes credentials for working with the PowerProtect Data Manager software.

Table 7. PowerProtect Data Manager software preloaded accounts

Account or credential

Default password Expiry interval Change required Purposes Actions

UI admin admin 60 days Yes Controls access to the web UI. Controls access to REST API requests.

N/A

PowerProtect Data Manager automatically configures a strong, unique passphrase during deployment. Credential security provides more information about the lockbox.

Admin account password expiry

You must have a valid admin account password to log in to PowerProtect Data Manager and perform regular administrative tasks. Preventing it from expiring is an essential part of system maintenance.

Configure notification of critical alerts to receive an alert 15 days, 7 days, 3 days, and 1 day before the admin password is due to expire. For information about configuring alert notification, see the PowerProtect Data Manager Administration and User Guide.

To change the admin password before it expires, see Change operating system passwords.

If the admin password has expired and you need to reset it, see Operating system expired password behavior.

Server DR restores

Restoring PowerProtect Data Manager from a server DR backup resets the passwords for all preloaded accounts to the default passwords.

The UI administrator account password is not reset and retains the last configured value. After you restore from a server DR backup, change the passwords for the preloaded accounts as soon as possible.

Common password policy

When you set a local identity provider account password, ensure that the credential meets the following requirements: Contains a minimum of nine characters and a maximum of one hundred characters Contains at least one numeric character (0-9) Contains at least one uppercase character (A-Z)

18 Authentication

Contains at least one lowercase character (a-z) Contains at least one special character from the following list of acceptable characters:

!@#$%^&*()_-+=~{}[]<>?/`:;',.|\"

Spaces are allowed. Contains only letters from the English alphabet Does not contain other sensitive information that is associated with the user account, such as the first and last names,

username, or email address

Managing local identity provider users

Only the Administrator and the Security Administrator roles can manage users. The Administrator, Security Administrator, and User roles can view users.

NOTE: User authorization grants or denies users access to PowerProtect Data Manager resources. Authorization is the

same for local identity provider users and external identity provider users.

You cannot rename or change the role assignment for the preloaded administrator account.

Add a local user

Only the Administrator and the Security Administrator roles can add users to the local identity provider.

Prerequisites

This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.

This procedure also enables you to define scopes of authority in which this role assignment operates. Plan any applicable scopes and create any necessary resource groups. Creating a scope of authority is optional; you can assign authorization over all assets.

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.

3. Click Add User/Group. The Add User/Group window opens on the User Type tab.

4. Select Local User.

5. Provide the following information:

First Name Last Name Email Address User Name Password Retype to confirm the password. Force Password ChangeEnabled by default. Requires the user to update the password at first login.

6. Click Next. The Add User/Group window moves to the Role tab.

7. Select one or more applicable roles.

To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.

8. Click Next. The Add User/Group window moves to the Resources tab.

Authentication 19

9. For each role, select whether the authorizations from that role should apply to All Assets or to Selected Resource Groups.

Applying an authorization only to selected resource groups creates a scope of authority.

If you chose Selected Resource Groups, a list of resource groups appears.

a. Select one or more available resource groups. b. To remove a selected resource group from the list, click the X for that resource group.

10. Click Next. The Add User/Group window moves to the Summary tab.

11. Review your selections, correct any errors, and then click Finish.

Results

The new user appears in the list of configured user accounts and groups.

Edit or delete a local user

Only the Administrator and the Security Administrator roles can edit or delete local identity provider users.

Prerequisites

This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.

This procedure also enables you to define scopes of authority in which this role assignment operates. Plan any applicable scopes and create any necessary resource groups. Creating a scope of authority is optional; you can assign authorization over all assets.

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.

3. Click for any user account to see the following information:

Username First name Last name Email address User role Date the user was created

4. Select the user that you want to edit or delete.

5. To delete the user, click Delete. The user disappears from the list of configured user accounts and groups.

6. To edit the user, click Edit. The Edit User/Group window opens on the User Type tab.

7. Change any of the following information:

First Name Last Name Email Address User Name Password Retype to confirm the password. Force Password ChangeEnabled by default. Requires the user to update the password at first login.

8. Click Next.

20 Authentication

The Edit User/Group window moves to the Role tab.

9. Select one or more applicable roles.

To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.

10. Click Next. The Edit User/Group window moves to the Resources tab.

11. For each role, select whether the authorizations from that role should apply to All Assets or to Selected Resource Groups.

Applying an authorization only to selected resource groups creates a scope of authority.

If you chose Selected Resource Groups, a list of resource groups appears.

a. Select one or more available resource groups. b. To remove a selected resource group from the list, click the X for that resource group.

12. Click Next. The Edit User/Group window moves to the Summary tab.

13. Review your selections, correct any errors, and then click Finish.

Results

The changes appear in the list of configured user accounts and groups.

Change a local user password

Use the self-service feature to change the password for a local identity provider user.

Prerequisites

If you do not know the current password, Reset a forgotten local user password provides more information. External identity provider users cannot reset their password using this procedure. Contact the identity provider administrator to reset your password.

Steps

1. Log in to the PowerProtect Data Manager UI.

2. From the banner, select User Options > Change Password.

3. Type the current password for the local user.

4. Type the new password twice for confirmation.

The new password must conform to the Common password policy.

5. Click Save.

Reset a forgotten local user password

Use the self-service feature to reset a forgotten password for a local user.

Prerequisites

The account must be a local identity provider user. A mail server must be configured on PowerProtect Data Manager. External identity provider users cannot reset their password using this procedure. Contact the identity provider administrator

to reset your password.

Review Common password policy before you select a new password.

About this task

Local users can receive an email with a link to reset their password. The reset password link in the email expires in 20 minutes, after which time they must request another link.

Authentication 21

Steps

1. In the PowerProtect Data Manager login page, click Forgot Password.

2. In the Forgot Password dialog box, type your user name, click Send Link, and click OK to dismiss the informational dialog box. The system sends a message to the email address associated with your user name.

3. Open the email and click the link.

4. In the Reset Password dialog box, type a new password in the New Password and Confirm New Password fields, and click Save. The PowerProtect Data Manager login page appears.

5. Log in with your user name and new password.

Change operating system passwords

Only the Administrator role can change operating system passwords. You can change the password for the Linux operating system root, admin, and support users by using the PowerProtect Data Manager UI.

About this task

For the root user, this method works if the current password has not expired and you know the current password. If the root password has expired, the attempt fails.

Review Common password policy before you select a new password.

Steps

1. Log in to the PowerProtect Data Manager user interface as a user with the Administrator role.

2. Click , and then select Authentication. The System Users window displays.

3. Select the password you want to change: For the root and support users, click Edit. For the operating system admin user, click Reset. You can change the operating system admin user password without

providing the existing password.

4. Update the form, and then click Save.

Configure password complexity and expiration

This topic describes how to configure the PowerProtect Data Manager password policy through the REST API. If you change the regular expressions, change both regular expressions to keep the rules consistent.

About this task

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice and supply a valid access token with each call after the log-in. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Common password policy describes the default password policy.

Steps

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator role.

Record the access token.

2. Retrieve the existing password policy, which may be different than the default:

GET https://{{server}}:{{port}}/api/v2/policies/password

Headers: Content-Type: application/json Authorization: Bearer {{access-token}} The response returns a list of values in JSON format:

22 Authentication

{ "passwordRegex": "^(?=.*[A-Z])(?=.*[a-z])(?=.*\\d)(?=.*[\\p{Punct}])[A-Za-z \\d\ \p{Punct}]{9,100}", "passwordRegexJS": "^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$#@$!%*?& ^'/:,\\\\\\]\\[() +-\\.~<>\"={|}`;_])[A-Za-z\\d$#@$/!%*?& ^':,\\\\\\]\\[()+-\\.~<>\"={|}`;_]{9,}$", "policyDescription": "Password must have minimum 9 and maximum 100 characters, at least 1 uppercase letter, at least 1 lowercase letter, at least 1 numeric and at least 1 special character.", "maxAge": "P60D" } This example response shows the default policy.

Field Description

passwordRegex Controls the password length and strength for the local user account passwords.

passwordRegexJS Controls the password length and strength for the local user account passwords. This regular expression uses JavaScript format for the UI.

policyDescription Stores the user-facing policy description.

maxAge Controls the password expiry interval. This interval is the number of days that a password can be used before the password expires. The default is 60 days.

3. Change the password policy:

PUT https://{{server}}:{{port}}/api/v2/policies/password

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "passwordRegex": "{{REST-API-regex}}", "passwordRegexJS": "{{UI-regex}}", "policyDescription": "{{description}}", "maxAge": "{{expiry-interval}}" } Supply values for these fields as defined in the previous step. For example, to change the password expiry interval to 30 days, use "maxAge": "P30D".

The REST API service returns a status code:

200 OK

Login security settings These topics describe configuration options that guard access to PowerProtect Data Manager and control how users log in.

Configure failed UI login behavior

This topic describes how the PowerProtect Data Manager UI behaves for failed login attempts and how to configure the lockout mechanism that regulates failed UI login attempts.

About this task

By default, PowerProtect Data Manager UI user accounts are locked out after five failed login attempts. After reaching this threshold, the default lockout period is five minutes before you can try logging in again.

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice and supply a valid access token with each call after the log-in. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Authentication 23

Steps

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator role.

Record the access token.

2. Change the failed UI login behavior:

PUT https://{{server}}:{{port}}/api/v2/common-settings/USER_LOCKOUT_SETTING

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "id": "USER_LOCKOUT_SETTING", "properties": [ { "name": "durationMinutes", "value": "{{lockout-duration-minutes}}", "type": "INTEGER" }, { "name": "loginAttempts", "value": "{{number-login-attempts}}", "type": "INTEGER"

} ] } where:

Option Description

{{lockout-duration- minutes}}

The number of minutes for which PowerProtect Data Manager locks out the user account after exceeding the failure limit. The default value is 5.

{{number-login- attempts}}

The number of failed login attempts after which PowerProtect Data Manager locks out the user account. The default value is 5.

All values must be integers and all values are required.

The REST API service returns a status code:

200 OK { "id": "USER_LOCKOUT_SETTING", "properties": [ { "name": "durationMinutes", "value": "5", "type": "INTEGER" }, { "name": "loginAttempts", "value": "5", "type": "INTEGER"

} ] }

Operating system expired password behavior

For the Linux operating system admin, root, and support user passwords, different expiry scenarios can arise. Each scenario has two courses of action, depending on whether you know the expired password for that account.

You must know at least one password to reset an expired password. Otherwise, contact Customer Support.

24 Authentication

The admin password expires

You can reset the admin password by logging in to the PowerProtect Data Manager UI with an account that has the Administrator role. Change operating system passwords provides instructions. You do not need to know the expired password.

If you cannot log in to the UI with the Administrator role:

Establish an SSH session to PowerProtect Data Manager as the admin user. The console prompts you to type the expired password and then set a new password.

If you do not know the expired password but you know the root password, you can reset the admin password by using the vSphere console. Use the vSphere console to log in to PowerProtect Data Manager as the root user. Then, reset the admin password by typing passwd admin. A restart is not required.

If you do not know the root password or the expired password, contact Customer Support.

The root password expires

If you know the expired password, you can reset the root password through the PowerProtect Data Manager console. An expired root password cannot be reset through the UI.

Establish an SSH session to PowerProtect Data Manager as the admin user, and then change to the root user by typing su -. The console prompts you to type the expired root password and then set a new password.

If you do not know the expired password but you know the admin password, you can reset the root password by using the console. Establish an SSH session to PowerProtect Data Manager as the admin user. Then, reset the root password by typing sudo passwd root. A restart is not required.

If you do not know the admin password or the expired password, contact Customer Support.

The admin and root passwords both expire

If you know the expired passwords, you can reset both passwords through the PowerProtect Data Manager console by combining the methods for each expired password.

Establish an SSH session to PowerProtect Data Manager as the admin user. The console prompts you to type the expired admin password and then set a new admin password. Then, change to the root user by typing su -. The console prompts you to type the expired root password and then set a new root password.

If you do not know the expired passwords, contact Customer Support. The resolution requires restarting PowerProtect Data Manager.

The support password expires

If you know the expired password, you can reset the support password through the PowerProtect Data Manager console or through the UI:

For the console, establish an SSH session to PowerProtect Data Manager as the support user. The console prompts you to type the expired password and then set a new password.

For the UI, Change operating system passwords provides instructions.

If you do not know the expired password but you know the admin or root password:

If you know the admin password, you can reset the support password by using the console. Establish an SSH session to PowerProtect Data Manager as the admin user. Then, reset the support password by typing sudo passwd support. A restart is not required.

If you know the root password, you can reset the support password by using the vSphere console. Use the vSphere console to log in to PowerProtect Data Manager as the root user. Then, reset the support password by typing passwd support. A restart is not required.

If you do not know the admin or root passwords or the expired password, contact Customer Support.

Authentication 25

The admin, root, and support passwords all expire

If you know some or all of the expired passwords, you can reset all of the passwords through the PowerProtect Data Manager console by combining the methods for each expired password. Follow the directions for The admin and root passwords both expire and then The support password expires.

If you do not know any of the expired passwords, contact Customer Support.

Operating system expired password impacts

For the Linux operating system admin and root user passwords, some aspects of PowerProtect Data Manager may not operate correctly when one or both passwords expire.

Protection engine and Search Engine node operating system passwords do not expire. PowerProtect Data Manager automatically manages these passwords, which are meant for system use only.

All functionality that is not listed in these sections continues to work after passwords expire.

Admin password expires

Software update prechecks fail and block the update process. The server DR service script must be run by the root user. Running the script as the root user changes the service script

ownership and the ownership of related files to the root user.

Root password expires

The system manager cannot start after PowerProtect Data Manager restarts. System operations that require root privileges fail. For example, changing expirations, opening network ports, and changes to file ownership.

Software update prechecks fail and block the update process. sudo operations for server DR, such as mounting, unmounting, and permissions or ownership changes fail and block related

operations, including: Changing the server DR storage target from NFS to DD Boost, or from DD Boost to NFS. Changing the server DR storage target from one protection storage system to another. Password synchronization with the storage target. Server DR restores.

The compliance verification Docker service and compliance verification services cannot start.

Authentication types and setup These topics describe authentication source and configuration options for PowerProtect Data Manager. For example, how to configure and use external identity providers.

Identity providers An identity provider is an abstract source of user and group data that PowerProtect Data Manager can map to corresponding roles. The abstraction simplifies user and role management.

In addition to the list of supported external identity providers, PowerProtect Data Manager contains locally defined identity providers for application and operating system users.

PowerProtect Data Manager supports multiple active identity providers. Each identity provider has a unique associated domain that identifies all users from that identity provider.

You can map users to PowerProtect Data Manager roles directly or through user groups that come from an identity provider. After you configure an identity provider and map a user or group to a role, you can log in to PowerProtect Data Manager as that user, or as a user from that group.

26 Authentication

Some local users have restricted capabilities. For example, operating system users are not mapped to application roles and are limited to SSH access. The local identity provider does not support adding or deleting operating system users, only changing the passwords for existing accounts.

Supported external identity providers

Lightweight Directory Access Protocol (LDAP) LDAP over SSL (LDAPS) Microsoft Active Directory (AD) server Microsoft AD server over SSL (AD over SSL)

Limitations

PowerProtect Data Manager does not support multiple domains or forests on the same identity provider. Instead, configure separate identity providers for each domain or base.

Managing external identity providers

You can configure an external identity provider that manages usernames and passwords.

Only the Administrator and the Security Administrator roles can manage external identity providers. Manage identity providers and roles through the Administration > Access Control pane.

The domain associated with each external identity provider is case-sensitive. When an external identity provider user logs in, supply the domain with the same capitalization that was used when configuring the identity provider. Otherwise, you may receive error messages such as 500: Resources cannot be retrieved.

Configure an external identity provider

Only the Administrator and the Security Administrator roles can configure an external identity provider.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.

3. Click Add. The Add Directory window appears.

4. Configure the following attributes:

Table 8. Identity provider attributes

Attribute Description

Server Type Select a supported identity provider type.

Server Address Type the hostname or IP address of the identity provider. A protocol prefix is not required.

Secure Connection Select this attribute if the identity provider uses a secure connection method such as LDAPS or AD over SSL. Selecting this attribute enables the certificate validation controls.

Port Type the port number for the identity provider.

Domain Type the domain for which this identity provider authenticates users. For example, ldap.example.com.

User Name Type a user account that has full read access to the directory. A domain is not required.

Password Type the password for the specified user account.

Authentication 27

Table 8. Identity provider attributes (continued)

Attribute Description

Group Search Attribute

Type the attribute name that the identity provider should use to validate the group name in the hierarchy.

Group Member Attribute

Type the attribute name that the identity provider should use to validate the group member in the hierarchy.

Group Search Base If searches should not start from the default base, type the name of a base from which searches should start. For example, if the domain is ldap.example.com, type admin to start searches from admin.ldap.example.com. Otherwise, leave this attribute empty. Only a single search base is supported.

Populate the default values from this table into the appropriate fields when indicated:

Table 9. Default attribute values

Attribute Value or format

AD and AD over SSL LDAP and LDAPS

Port For unsecure connections, the default port number is 389. For secure connections, the default port number is 636.

Group Search Attribute sAMAccountName cn Group Member Attribute member memberUid

5. If you selected a secure connection method:

a. Click Verify. b. In the Verify Certificate window, verify the details of the identity provider TLS certificate and then click Accept.

NOTE: When you specify the LDAPS protocol, PowerProtect Data Manager automatically downloads the certificates

required to connect to the identity provider. Once downloaded, the Certificate Validation field appears. Click Verify

to compare the displayed certificate information with the expected certificate information. If the certificates match,

click Accept to continue with the setup. Otherwise, click Cancel to cancel the setup.

6. Click Save.

Next steps

Assign identity provider groups to a role. The section Add identity provider group-to-role mapping provides instructions. You cannot log in as an external user without mapping users or groups to roles.

The domain associated with each external identity provider is case-sensitive. When an external identity provider user logs in, supply the domain with the same capitalization that was used when configuring the identity provider. Otherwise, you may receive error messages such as 500: Resources cannot be retrieved.

Edit an external identity provider

Only the Administrator and the Security Administrator roles can edit an external identity provider.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.

3. To view more information about an identity provider, click in the Details column for that identity provider. PowerProtect Data Manager opens the Details pane, which displays information about the identity provider's configuration.

4. Select the identity provider, and then click Edit.

5. Edit the attributes as required.

28 Authentication

6. Click Save.

Delete an external identity provider

Only the Administrator and the Security Administrator roles can delete an external identity provider.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Directory Settings tab. PowerProtect Data Manager displays a list of configured identity providers.

3. Select the identity provider that you would like to delete, and then click Delete.

Example: configuring an AD identity provider

In this example, an AD server that is named ad.forest1.org has an AD group called TestGroup_99. TestGroup_99 contains three users: Meghan, Patrick, and Liam. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.

View the properties of the AD configuration

To view the properties of the AD configuration, use a third-party tool such as the AD Explorer program.

Based on this AD configuration, specify the following values for PowerProtect Data Manager LDAP configuration options:

Domain: forest1.org Server Address: ad.forest1.org

Configure the ad.forest1.org identity provider

The following figure provides an example of the group attributes that are required to configure the ad.forest1.org identity provider.

Authentication 29

Figure 1. AD group properties in AD Explorer

Based on the properties of TestGroup_99, specify the following values for the LDAP configuration options:

Group Search Attribute: sAMAccountName

Example: configuring an LDAP identity provider

In this example, an LDAP server that is named alberta.lss.emc.com has a group that is named AlbertaAllGroups. AlbertaAllGroups contains three LDAP users: alberta_user1, alberta_user2, and alberta_user3. These users require access to the PowerProtect Data Manager UI with the privileges that are assigned to the User role.

View the LDAP configuration properties

To view the properties of the LDAP configuration, use a third party tool such as the LDAP Admin program.

Based on this configuration, specify the following values for the LDAP configuration options:

Domain: alberta.emc.com Server Address: alberta.lss.emc.com Group Search Attribute: cn Group Member Attribute: uniqueMember

Troubleshooting LDAP configuration issues

This section provides information about error messages that might appear when you configure an external identity provider for authentication.

For more information about LDAP configuration errors, refer to

http://wiki.servicenow.com/index.php?title=LDAP_Error_Codes#gsc.tab=0.

30 Authentication

User credentials are incorrect

The following message appears when the user credentials that you specified are not correct:

Error Code: 49: Invalid credentials

To resolve this issue, ensure that the values in the User Name and Password fields are correct.

Domain is not correct

One of the following messages appears when the Domain field is not correct:

Error Code: 32: No such object exists. Error Code: -3: LDAP error: Invalid name: [invalidName]. LdapIdentitySource cannot have an empty base. Error Code: 34: An invalid DN syntax. To resolve this issue, ensure that the value in the Domain field is correct.

Format of the Server Address field is not correct

One of the following messages appears when the format of the Server Address field is not correct:

Error Code: 2: Protocol error Error Code: -3: LDAP error: Cannot parse url: [url] To resolve this issue, ensure that you specify the Server Address field without a protocol prefix. Type only the hostname or IP address.

Authentication to external systems The following topics describe how PowerProtect Data Manager communicates and authenticates with other components.

Credential security

The PowerProtect Data Manager lockbox securely stores known secrets in a central location.

All stored secrets in the lockbox are encrypted. When an activity requires information from the lockbox, the requesting process provides the lockbox passphrase and then receives the required information in a decrypted format.

The lockbox holds secrets such as:

Credentials for local user accounts. Protection storage credentials that you supply as you configure the appliance. Credentials by which application agents authenticate to protected assets.

PowerProtect Data Manager creates a strong, unique passphrase during deployment to protect the lockbox contents. After deployment, PowerProtect Data Manager automatically encrypts and manages the lockbox passphrase without user interaction. Automatic management removes the requirement to provide the lockbox passphrase when you update from supported releases. Server DR backups protect the lockbox and its contents.

The File System agent also uses a separate lockbox on protected hosts to store sensitive information, including the credentials by which the application agent accesses external storage infrastructure.

For Kubernetes, PowerProtect Data Manager stores the necessary certificates and credentials for protection operations in a secret resource on the Kubernetes cluster. The Kubernetes documentation provides more information about how to enable encryption for this secret resource.

Authentication 31

Remote component authentication

The PowerProtect Data Manager lockbox securely stores known secrets. These secrets include any user account and protection storage credentials that you supply as you configure the software.

Credential security provides more information about the lockbox.

PowerProtect Data Manager can use stored credentials in multiple contexts. The term "consumer" means a place where the appliance uses a credential, for any purpose. For example:

A username and password may apply to one individual host or asset. In this case, the host or asset is the consumer. The same credential could also apply to all assets on the same protection policy, if the assets all authenticate with the same

username and password. In this case, the protection policy is the consumer, even though the credential applies to the assets under that policy.

You can manage stored credentials through the PowerProtect Data Manager UI or the REST API.

Add a credential

Supply PowerProtect Data Manager with the necessary credentials to access external systems, such as storage targets, assets, and asset sources. You can also add credentials when you create a protection policy.

Steps

1. From the left navigation pane, select Administration > Credentials.

The Credentials window appears.

2. Click Add. The Add Credential dialog box opens.

3. Type a name for the credential.

Credential names should clearly identify the intended purpose and usage.

4. Select a credential type from the drop-down list.

The credential type determines the remaining fields. For example, username and password, token, or key.

5. Complete the remaining fields according to the selected type.

6. Click Save.

PowerProtect Data Manager adds the credential to the keystore.

View credential usage

For each stored credential, you can see a list of items that use that credential.

Steps

1. From the left navigation pane, select Administration > Credentials.

The Credentials window appears.

2. Locate the credential in the list of stored credentials.

Use the filters and column sort options to organize the list of credentials.

3. Select the credential from the list. Review the Consumer Count column for that credential. If the count is zero, the credential is not used anywhere.

4. Select the number in the Consumer Count column. The Details pane opens and displays a list of consumers that use the selected credential. The list groups items by type. For example, assets, protection policies, or storage targets.

32 Authentication

Edit a credential

You can change a credential name or stored authentication details, such as a username or password. You cannot change the credential type.

Steps

1. From the left navigation pane, select Administration > Credentials.

The Credentials window appears.

2. Locate the credential in the list of stored credentials.

Use the filters and column sort options to organize the list of credentials.

3. Select the credential from the list, and then click Edit. The Edit Credential dialog box opens.

4. Modify any appropriate values.

The available values depend on the credential type. For example, username and password, token, or key.

5. Click Save.

PowerProtect Data Manager updates the stored credential.

Delete credentials

You can delete any credentials that are no longer in use or which you no longer need. Deleting a credential creates an entry in the audit log.

Prerequisites

The credentials must not be used anywhere. Verify the credential usage and that the consumer count is zero. If necessary, update anything that uses the credentials, such as protection policies or assets.

Steps

1. From the left navigation pane, select Administration > Credentials.

The Credentials window appears.

2. Locate the credential in the list of stored credentials.

Use the filters and column sort options to organize the list of credentials.

3. Select the credential or credentials from the list.

4. Verify that the Consumer Count column displays zero consumers. If the count is zero, the credential is not used anywhere and you can delete the credential. The Delete button activates when all selected credentials have zero consumers.

5. Click Delete.

6. Click OK to confirm the deletion.

PowerProtect Data Manager removes the credential.

Protection engine and Search Engine node authentication

Protection engines and Search Engine nodes are virtual machines that exist apart from, but under the control of, PowerProtect Data Manager.

Because of their function, these components have IP addresses that allow external access. Each component has admin and root user accounts, which are only used to provide PowerProtect Data Manager functionality and for troubleshooting. For example, the Search Engine node admin user accounts enable PowerProtect Data Manager to perform operations on each node, such as obtaining the health status of the node.

The password management policies for these accounts are set to lock the admin user account after three failed attempts within five minutes. If you try to access a component while the admin user account is locked, the amount of time that the account remains locked increases.

There is no public interface available that enables you to access a protection engine or Search Engine node by using these admin credentials. All required interaction with these components happens through the PowerProtect Data Manager UI.

Authentication 33

Get protection engine or Search Engine node credentials

The management tools for protection engines and Search Engine nodes are provided with PowerProtect Data Manager. Use the management tools to get credentials for these components.

About this task

The term protection engines here includes VM Direct engines, NAS protection engines, and Kubernetes protection engines.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Set the environment variables:

source /opt/emc/vmdirect/unit/vmdirect.env 3. Obtain the protection engine credentials:

/opt/emc/vmdirect/bin/vproxymgmt get -secret For environments with many protection engines, you can specify a protection engine ID to narrow the results:

/opt/emc/vmdirect/bin/vproxymgmt get -vproxy_id -secret

Total '2' vProxies VMs available.

VProxy ID: f102c755-d084-4425-a151-a0ade4d1a4c7 Type: Embedded Hostname: localhost Disabled: false Status: Ready Protection Type: VM VM Configured Capacity Units: 16 VM Capacity Units in use: 0 VM Control Sessions in use: 0 VM Transport Sessions in use: 0

VProxy ID: 7bb57817-588f-46cc-b6ac-0dbf357dff92 Type: External Hostname: vmdirect.test.emc.com Disabled: false Status: Ready Protection Type: VM VCenter inventory source ID: 28d387df-452f-5992-820a-720e6c6a60fe VCenter: vcenter.test.emc.com VM Name: vproxy-vmdirect AdminCredentials-Username: 'admin' Password: '%%%%%%%%' RootCredentials-Username: 'root' Password: '%%%%%%%%' VM Configured Capacity Units: 100 VM Capacity Units in use: 0 VM Control Sessions in use: 0 VM Transport Sessions in use: 0 Record the protection engine credentials.

4. Obtain the Search Engine node credentials:

/opt/emc/vmdirect/bin/infranodemgmt get -secret For environments with many Search Engine nodes, you can specify a Search Engine node ID to narrow the results:

/opt/emc/vmdirect/bin/infranodemgmt get -node_id -secret

Total '1' node VMs available.

Node ID: 14c16c75-2c8b-4dff-b93c-d95bdba5a1f6 Node Type: SearchNode Hostname: search.test.emc.com Disabled: false Status: Ready VM Name: search VCenter inventory source ID: 3f94030f-090d-5439-a426-ce9945e8cd89

34 Authentication

VCenter: vcenter.test.emc.com AdminCredentials-Username: 'admin' Password: '%%%%%%%%' RootCredentials-Username: 'root' Password: '%%%%%%%%' Record the Search Engine node credentials.

Reset Search Engine node credentials

You can reset the credentials for a Search Engine node admin user by using the vCenter console. Before you access a Search Engine node through the vCenter console, determine why the user account is locked.

About this task

The PowerProtect Data Manager Administration and User Guide provides information about the Search Engine troubleshooting to which this task relates.

Steps

1. Obtain the Search Engine node root credentials. Get protection engine or Search Engine node credentials provides instructions.

2. Log in to the vCenter server where the Search Engine node is deployed.

3. From the left pane of the vSphere Client home page, select the Search Engine node from the VMs and Templates view.

4. Launch a virtual machine vCenter console for the Search Engine node.

5. Log in to the Search Engine node with the root credentials.

6. Reset the admin user account credentials:

/sbin/pam_tally2 --user admin --reset

Authentication 35

Authorization Authorization describes how PowerProtect Data Manager maps an authenticated user or external system to a level of access or permissions. More broadly, authentication describes what users are allowed to do.

Topics:

Default authorizations External authorization associations Role-based access control (RBAC) Scopes of authority Resources and resource groups

Default authorizations Take note of the following user, group, and role considerations when authorizing users or adding users to roles and groups.

Default admin user

The default admin user is preassigned the Administrator role during PowerProtect Data Manager deployment.

The default admin user has super user control over PowerProtect Data Manager and cannot be deleted. However, you can modify the attributes of the default admin user.

Oracle group users

Note that users in the Oracle group have permission to delete the lockbox configuration file. To prevent data loss, add only trusted users to this group.

External authorization associations This section describes how to connect PowerProtect Data Manager authorization to identity provider-based subjects.

Only the Administrator and the Security Administrator roles can add external identity provider groups.

Before associating external identity provider users, configure an external identity provider group. On the external identity provider, add the PowerProtect Data Manager users to this group.

When you map PowerProtect Data Manager roles to an identity provider group, the mapping confers those roles on every user in the group.

Add identity provider group-to-role mapping

Only the Administrator and the Security Administrator roles can add identity provider group-to-role mapping.

Prerequisites

This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.

This procedure also enables you to define scopes of authority in which this role assignment operates. Plan any applicable scopes and create any necessary resource groups. Creating a scope of authority is optional; you can assign authorization over all assets.

3

36 Authorization

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

About this task

NOTE: Mapping the Protected Users group from Windows Active Directory is not supported. If you add a mapping for

this group, its members cannot log in to PowerProtect Data Manager.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.

3. Click Add User/Group. The Add User/Group window opens on the User Type tab.

4. Select AD/LDAP User Group.

5. Select the domain which corresponds to the identity provider for which you would like to add group-to-role mapping.

6. In Groups, start typing the name of a identity provider group. PowerProtect Data Manager searches the identity provider and displays any matching groups.

7. Select one or more groups from the list of results.

8. Click Next. The Add User/Group window moves to the Role tab.

9. Select one or more applicable roles.

To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.

10. Click Next. The Add User/Group window moves to the Resources tab.

11. For each role, select whether the authorizations from that role should apply to All Assets or to Selected Resource Groups.

Applying an authorization only to selected resource groups creates a scope of authority.

If you chose Selected Resource Groups, a list of resource groups appears.

a. Select one or more available resource groups. b. To remove a selected resource group from the list, click the X for that resource group.

12. Click Next. The Add User/Group window moves to the Summary tab.

13. Review your selections, correct any errors, and then click Finish.

Results

The new group appears in the list of configured user accounts and groups.

Modify identity provider group-to-role mapping

Only the Administrator and the Security Administrator roles can modify identity provider group-to-role mapping.

Prerequisites

This procedure contains the process of role assignment, which delegates the authorization to perform particular tasks. Review the list of system-defined roles and identify all necessary roles.

This procedure also enables you to define scopes of authority in which this role assignment operates. Plan any applicable scopes and create any necessary resource groups. Creating a scope of authority is optional; you can assign authorization over all assets.

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

Authorization 37

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.

3. Click for any group to see the following information:

Group name Group type Group role Date the group was mapped

4. Select the group that you want to edit, and then click Edit The Edit User/Group window opens on the User Type tab.

5. Review the information on the User Type tab.

The domain and group name are read-only.

6. Click Next. The Edit User/Group window moves to the Role tab.

7. Select one or more applicable roles.

To see a list of the permissions for each role, click >. You can further refine the applicability of each role on the next tab.

8. Click Next. The Edit User/Group window moves to the Resources tab.

9. For each role, select whether the authorizations from that role should apply to All Assets or to Selected Resource Groups.

Applying an authorization only to selected resource groups creates a scope of authority.

If you chose Selected Resource Groups, a list of resource groups appears.

a. Select one or more available resource groups. b. To remove a selected resource group from the list, click the X for that resource group.

10. Click Next. The Edit User/Group window moves to the Summary tab.

11. Review your selections, correct any errors, and then click Finish.

Results

The changes appear in the list of configured user accounts and groups.

Delete identity provider group-to-role mapping

Only the Administrator and the Security Administrator roles can delete identity provider group-to-role mapping.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Users/Groups tab. PowerProtect Data Manager displays a list of configured user accounts and external identity provider groups, including any associated roles.

3. Select the group that you want to delete, and then click Delete.

4. Click OK to confirm the deletion.

38 Authorization

Role-based access control (RBAC) These topics describe the available system roles, the privileges that go along with each role, and how to use them to assign privileges to authenticated users. They also explain how to map external identity provider subjects to PowerProtect Data Manager roles.

Roles

A role defines the privileges and permissions that a user has to perform a group of tasks. When a user is assigned a role, you grant the user all of the privileges that are defined by the role.

By using predefined roles, you can limit access to PowerProtect Data Manager operations by applying the principle of least privilege. System-provided roles and associated privileges provides more information about the built-in roles that you can apply to common environments.

Roles also control access to resources such as backup data and infrastructure objects through resource groups. Data storage security settings provides more information about resource groups, while Scopes of authority provides information about how to use roles and resource groups to enforce information security.

Roles are assigned to users and groups during user creation or group mapping. You can change role assignments by editing a user or group. Managing local identity provider users and External authorization associations provide instructions.

You can assign a user to multiple roles. For example, a user who has both Backup Administrator and Restore Administrator roles but does not have full system administration privileges.

To view a list of available roles, select Administration > Access Control and select the Roles tab. The table displays each role

with a brief description and the number of users who are assigned that role. Click to see a full list of the associated privileges for any role.

System-provided roles and associated privileges

The following sections describe the built-in roles to which you can assign users:

Administrator role

The system Administrator role is responsible for setup, configuration, and all PowerProtect Data Manager management functions. The Administrator role provides systemwide access to all functionality across all organizations. One default Administrator role is assigned at PowerProtect Data Manager deployment. You can add and assign additional Administrator roles to users in your organization who require full access to the system.

User role

The User role is responsible for monitoring the PowerProtect Data Manager Dashboard, Activity Monitor, and Notifications. The User role provides read-only access to monitor activities and operations. Assign the User role to users in your organization who monitor Dashboard activities, Activity Monitor, and Notifications. Users with this role do not require the ability to configure the system or access backup data. Most privileges that are held by this role are read-only.

Security Administrator role

The Security Administrator role is defined for a limited set of users whose manage user accounts and roles, privileges, audit logs, and authentication sources. These functions are separate from the Administrator role. You can assign this role to individuals with security clearances who may not be responsible for day-to-day operations but who clear other users for access.

Backup Administrator role

The Backup Administrator role is responsible for defining, configuring, and completing protection tasks such as backup operations. Individuals with this limited access role do not require the full set of system administrator permissions. These users

Authorization 39

work with resources that the system administrator has already configured. The Backup Administrator role can backup assets and manage copies at the asset level but cannot back up at the protection policy level.

Restore Administrator role

The Restore Administrator role is responsible for completing restore operations. Individuals with this limited access role do not require the full set of system administrator permissions. These individuals work with backups that exist in protection storage and with resources that the system administrator has already configured.

Role privileges

The following table details the privileges that correspond to each predefined role. Role privilege definitions provides more information about the allowed activities for each privilege.

Table 10. Role privileges

Category Roles

Privilege Administrator User Security Administrator

Backup Administrator

Restore Administrator

Monitoring

View Alerts Y Y N Y Y

Manage Alerts Y N N Y Y

View Historical Data Y Y N N N

View Activities Y Y N Y Y

Manage Activities Y N N Y Y

Manage External Notifications

Y N N N N

Workflow Execution Y N N N N

View Protection Activities Y Y N Y N

View Recovery Activities Y Y N N Y

View System Activities Y Y N N N

Security and System Audit

View Security/System Audit Y Y Y N N

Manage Security/System Audit

Y N Y N N

User and Security Management

View User Security Y Y Y N N

Manage User Security Y N Y N N

Support Assistance and Log Management

View Diagnostic Logs Y Y N N N

Manage Diagnostic Logs Y N N N N

System Management

View System Settings Y Y Y Y Y

Manage System Settings Y N N N N

Asset Management

View Assets Y Y Y Y Y

40 Authorization

Table 10. Role privileges (continued)

Category Roles

Privilege Administrator User Security Administrator

Backup Administrator

Restore Administrator

Manage Assets Y N N Y N

View Asset Sources Y Y N Y Y

Manage Asset Sources Y N N N N

Manage Discovery Jobs Y N N N N

View Host Y Y N Y Y

Manage Host Y N N N Y

View Protection Engines Y Y N Y Y

Manage Protection Engines Y N N N N

View Search Engines Y Y N Y Y

Manage Search Engines Y N N N N

Manage Application Agents Y N N Y N

Storage Management

View Protection Storage Targets

Y Y N Y Y

Manage Protection Storage Targets

Y N N N N

View Storage Array Y Y N Y Y

Manage Storage Array Y N N N N

Manage Network Y N N N N

Protection Policy

View Policies Y Y N Y N

Manage Policies Y N N N N

Recovery and Reuse Management

Rollback to Production Y N N N Y

Recovery to Alternate Location

Y N N N Y

Export for Reuse Y N N N Y

SLA Compliance Management

View SLA/SLO Y Y N Y N

Manage SLA/SLO Y N N N N

Copy Management

View Copies Y N N Y Y

Manage Copies Y N N Y N

View Retention Range Y N N Y N

Manage Retention Range Y N N N N

Delete Copies Y N N N N

All Copies Search Y N N N N

Authorization 41

Table 10. Role privileges (continued)

Category Roles

Privilege Administrator User Security Administrator

Backup Administrator

Restore Administrator

Resource Group

View Resource Groups Y Y Y N N

Manage Resource Groups Y N Y N N

Role privilege definitions

System-provided roles and associated privileges lists the privileges that PowerProtect Data Manager associates with each integrated role. For each privilege, the following tables identify the specific tasks which a user with that privilege can perform.

Table 11. Monitoring privileges

Privilege Task

View Alerts View alerts and external notifications.

Manage Alerts Create, publish, cancel, ignore, promote, and demote alerts and external notifications. Acknowledge alerts and add notes to alerts.

View Historical Data View historical data that relates to plans, arrays, data targets, data sources, and capacity data.

View Activities View jobs.

Manage Activities Create, view, edit, and cancel activity resources.

Manage External Notifications

Subscribe or unsubscribe a user for alert notifications.

Workflow Execution Start and cancel workflow execution. View the status of workflow execution.

View Protection Activities

View protection activities.

View Recovery Activities

View recovery activities.

View System Activities

View system activities.

Table 12. Security and system audit privileges

Privilege Task

View Security/System Audit

View security auditrelated events and activities.

Manage Security/ System Audit

Acknowledge security auditrelated events and activities. Export audit/change log of events and activities.

Table 13. Support assistance and log management privileges

Privilege Task

View Diagnostic Logs View log bundle resources. View log information resources. View the log source resource. View logs.

42 Authorization

Table 13. Support assistance and log management privileges (continued)

Privilege Task

Manage Diagnostic Logs

View and manage log bundle resources. View and edit the log source resource. Export logs.

Table 14. User and security management privileges

Privilege Task

View User Security View users and roles. View identity providers and AD/LDAP groups. View external host TLS certificates. View allowlists.

Manage User Security Create, view, edit, and delete users. View roles. Create, view, edit, and delete allowlists. Create, view, edit, and delete external host TLS certificates. Create, view, edit, and delete identity providers. Create, view, edit, and delete user groups.

Table 15. System management privileges

Privilege Task

View System Settings View server disaster recovery artifacts. View maintenance mode. View license information. View server disaster recovery status. View SupportAssist information. View node, configuration EULA, operating system user, update package, component,

configuration status, configuration logs, time zone, and state resources.

Manage System Settings

Manage server disaster recovery activities. Manage SupportAssist gateway connection and other telemetry communications. View and edit node state resources. Update license information. View component, configuration status, configuration logs, time zone, and state resources. View and edit node, configuration EULA, operating system user, and lockbox resources. Create, view, edit, and delete update package resources.

Table 16. Asset management privileges

Privilege Task

View Assets View assets.

Manage Assets Create, view, edit, and delete assets. Add, view, edit, and delete protection policy assets. Perform manual backups of protected assets.

View Asset Sources View asset sources.

Manage Asset Sources Create, view, edit, and delete asset sources.

Manage Discovery Jobs Create, view, edit, and delete discovery jobs.

View Host View asset hosts.

Manage Host Create, view, edit, and delete asset hosts.

View Protection Engines

View protection engines.

Authorization 43

Table 16. Asset management privileges (continued)

Privilege Task

Manage Protection Engines

Create, view, edit, and delete protection engines.

View Search Engine View the Search Engine.

Manage Search Engine Create, view, edit, and delete the Search Engine.

Manage Application Agents

Install and update the agent on an application host.

Table 17. Storage management privileges

Privilege Task

View Protection Storage Targets

View storage targets.

Manage Protection Storage Targets

Create, view, edit, and delete storage targets.

View Storage Array View storage arrays.

Manage Storage Array Create, view, edit, and delete storage arrays.

Manage Network Create and assign network interfaces to storage arrays.

Table 18. Protection policy privileges

Privilege Task

View Policies View a list of all protection policies. View the storage targets of protection policy. View the accessible assets that are assigned to protection policies. View protection policy schedules. View protection policy networking and other advanced options. View file filters. View protection rules. View SLA policies. View storage capacity quota. View stream counts. View retention time.

Manage Policies Create, view, edit, and delete protection policies. Disable protection policies. Create, view, edit, and delete schedule resources. Add, view, and edit protection policy storage targets. Perform manual backups of protected assets. Create, view, edit, and delete file filters. Create, view, edit, and delete protection rules filters. Assign SLA policies. Assign storage capacity quota. Assign stream counts. Set retention time.

Table 19. Recovery and reuse management privileges

Privilege Task

Rollback to Production

Create, view, edit, and start restore to production operations.

Recovery to Alternate Location

Create, view, edit, and start restore to alternate location operations.

44 Authorization

Table 19. Recovery and reuse management privileges (continued)

Privilege Task

Export for Reuse Create, view, edit, and start export and reuse operations.

Table 20. SLA compliance management privileges

Privilege Task

View SLA/SLO View compliance results. View SLA/SLO policy.

Manage SLA/SLO Export asset compliance results. Create, view, edit, and delete SLA/SLO policy.

Table 21. Copy management privileges

Privilege Task

View Copies View asset copies and backups.

Manage Copies Edit asset copy and backup retention. Recall copies from the cloud. Edit asset copy and backup recall retention.

View Retention Range View retention range.

Manage Retention Range

Manage retention range across all copies and backups.

Delete Copies Delete copies and backups.

All Copies Search Manage available copies and backups.

Table 22. Resource group privileges

Privilege Task

View Resource Groups View a list of all resource groups. View resource group details.

Manage Resource Groups

Create, view, edit, and delete resource groups.

Scopes of authority A scope of authority represents the full association between users, roles, and data: a representation of who may perform what operations, and where. In this way, a scope of authority sets boundaries on user actions.

To define a scope of authority:

1. Identify the use cases for which you must control access. 2. For each use case, identify the associated resources, and then create or edit a corresponding resource group. Resources and

resource groups provides instructions. 3. For each use case, identify the required operations for each user or group. 4. Review the list of permissions, and then match each user or group to an appropriate role. Role-based access control (RBAC)

provides more information.

A user or group may require a combination of roles, such as Restore Administrator for some assets and User for others.

5. Add or edit the required users and group mappings, and then specify the required roles. Managing local identity provider users and External authorization associations provide instructions.

During the role assignment process, select any resource groups to which the specified role or roles should apply.

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

Authorization 45

With different scopes of authority, you can distinguish between individuals with the same role in different contexts, such as administrators for different departments or projects. Example: protecting and isolating confidential information with scopes of authority provides a practical example.

You can also define scopes of authority to provide designated users with more control over their own data, such as performing self-service restores without administrator intervention. Example: providing self-service restores with scopes of authority provides a practical example.

Scopes of authority restrict users from learning about and accessing resources which belong to someone else. Users can only see and operate on resources which are part of their scope of authority.

Example: protecting and isolating confidential information with scopes of authority

The following example illustrates a practical application for defining scopes of authority through roles and resource groups.

Your environment has the following configuration:

Three protection storage systems named Finance, Engineering, and HumanResources.

Three asset sources named Payroll, Prototypes, and Investigations.

Three users named Gurpreet, Lisa, and Eric, all with the Restore Administrator role.

Each named user administers the assets for a different department.

Without resource groups, there is no defined scope of authority. All three users can restore from a backup of any asset source, even if those assets belong to another department and the backups contain confidential information.

To ensure information security, you can define three resource groups: FinDeptRG, EngDeptRG, and HRDeptRG. Now you can use these resource groups to create separate scopes of authority for each user:

Table 23. Resource groups

Resource group name Included resources

FinDeptRG Finance Payroll EngDeptRG Engineering Prototypes HRDeptRG HumanResources Investigations

Table 24. Scopes of authority

User Role Scope

Gurpreet Restore Administrator FinDeptRG User All assets

Lisa Restore Administrator EngDeptRG User All assets

Eric Restore Administrator HRDeptRG User All assets

The three users still share a common role in the same organization. However, the separate scopes prevent a user from acting on resources that belong to another department.

Example: providing self-service restores with scopes of authority

The following example illustrates a practical application for defining scopes of authority through roles and resource groups.

Your environment has the following configuration:

Three ordinary users named Gurpreet, Lisa, and Eric.

Three asset sources named Payroll, Prototypes, and Investigations.

Each named user owns one of the named asset sources and requires no additional special accesses for daily work.

46 Authorization

These named users do not usually interact with PowerProtect Data Manager because system administrators manage protection policies and operations.

These named users would like to restore their own assets from backups without assistance from system administrators.

Before the request, a system administrator would customarily assign the User role to these three users, or no access at all. The User role lacks permission to restore assets from backups.

To enable self-service restores, each user requires the Restore Administrator role. However, without a defined scope of authority, providing this role to all three users would enable access to backups belonging to any user.

To safely grant the request, you can define a resource group for each user and associate only the assets or asset source for that user. Each resource group permits a separate scope of authority in which you can grant that user the Restore Administrator role for those assets alone.

Table 25. Resource groups

Resource group name Included resources

GurpreetRG Payroll LisaRG Prototypes EricRG Investigations

Table 26. Scopes of authority

User Role Scope

Gurpreet Restore Administrator GurpreetRG User GurpreetRG

Lisa Restore Administrator LisaRG User LisaRG

Eric Restore Administrator EricRG User EricRG

All three users now have access to the PowerProtect Data Manager UI, where they can perform restore operations on their own data. The separate scopes isolate each user from all others.

Resources and resource groups A resource is a PowerProtect Data Manager asset on which users can perform operations.

A resource group is a construct that enables administrators to manage and refine authorization by tagging related resources to which that authorization should apply. Resource groups define or restrict the scope on which users with a given role can exercise that authority.

After you define a resource group, assign one or more resources to the group. You can manually assign resources to resource groups, or you can assign resources by protection policy. A resource can belong to more than one resource group, and resource groups are not restricted to resources of the same type. For example, you can group resources by ownership or department.

Permissions are additive, so user authorization is the sum of the applicable resource groups and roles. For example, a user can be a Backup Administrator for one department and a Restore Administrator for another.

NOTE: Resource groups are not supported for Cloud Snapshot Manager assets.

Role-based access control (RBAC) provides more information about roles and authorization. Scopes of authority provides information about how to use resource groups to refine authorization.

NOTE: You can only limit the Backup Administrator, Restore Administrator, and User roles to specific resource groups. The

Administrator and Security Administrator roles have full access to all resources.

Authorization 47

Create a resource group

Creating a resource group associates resources with the new resource group.

Prerequisites

Only the Administrator and the Security Administrator roles can view or modify resource groups. Both the Administrator and the Security Administrator roles can assign assets to resource groups by manual selection, or the

option to select all assets. Only the Administrator role can assign assets to resource groups by selecting a protection policy.

About this task

When you use All Assets or select assets by protection policy, the resulting selection may contain a very large number of assets. The asset count refreshes ten times during the asset enumeration process. For most situations, this behavior is enough to enumerate all assets for the asset count. However, if the number of assets is very large, the UI may show only a partial count. In this case, return to the Resource Group Configuration window or check the count on the Summary page and review the final count.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Resource Groups tab. PowerProtect Data Manager displays a list of configured resource groups, including the number of resources protected by each group.

3. To add a resource group, click New.

The New Resource Group window opens.

4. Type a name and description for the resource group.

5. Click Create.

The Resource Group Configuration window opens.

The Select Assets list includes one row for each enabled asset type, with a drop-down list that controls asset selection for that type. The available options are None, All Assets, and Selected Assets.

If the Select Assets list does not contain selectable assets, add an asset source that contains assets. The PowerProtect Data Manager Administration and User Guide and the user guide for each asset source provide instructions.

The remaining steps in this task cover each of the three associated use cases.

To remove all assets of a single type from the resource group:

6. Change the drop-down list to None. The wizard displays a confirmation message.

7. Click Save. The wizard returns to the Resource Group Configuration window.

To add all assets of a single type to the resource group:

8. Change the drop-down list to All Assets. The wizard displays a confirmation message.

9. Click Save. The wizard returns to the Resource Group Configuration window, where PowerProtect Data Manager displays the number of assets of that type beside the drop-down list.

To select specific assets of a single type and add those assets to the resource group:

10. Change the drop-down list to Selected Assets. The Select Assets dialog box opens. This dialog box presents two options: select assets by policy or manual selection. You can use either or both methods to add assets to the resource group.

11. Click Next. The wizard moves to the Select By Policy page. This page lists all protection policies that contain assets of this type and provides a cumulative list of selected assets.

12. To include the assets from a protection policy, move the slider for that policy to the right. The wizard adds the corresponding assets to the list of selected assets. Repeat this step for each applicable policy.

13. Verify the contents of the list of selected assets, and then click Next.

48 Authorization

The wizard moves to the Available Assets tab on the Manual Selection page. This tab lists all assets of the selected type, including unprotected assets, which you have not already selected by policy.

14. Use the filters, paging controls, and checkboxes for each row to locate and select assets. The wizard adds the selected assets to the list on the Manually Selected tab. Repeat this step for each applicable asset.

15. Click the Manually Selected tab, verify the contents of the list, and then click Next. The wizard moves to the Summary page. This page lists the assets to be added to the resource group.

Assets are listed separately by selection method, including the number of assets from each protection policy.

16. Click > to expand either list, verify the listed assets and the expected counts, and then click Save.

The Select Assets dialog box closes and the wizard returns to the Resource Group Configuration window.

PowerProtect Data Manager displays the number of assets of that type beside the drop-down list.

17. To change the selection of individual assets of this type, click Edit.

When you finish selecting assets for the resource group:

18. To review the selection for any asset type, click View Assets.

19. Click Done.

PowerProtect Data Manager adds the new resource group to the list of resource groups.

Edit a resource group

You can change the name and description for a resource group, and change the asset selections that are associated with the group.

Prerequisites

Only the Administrator and the Security Administrator roles can view or modify resource groups. Both the Administrator and the Security Administrator roles can assign assets to resource groups by manual selection, or the

option to select all assets. Only the Administrator role can assign assets to resource groups by selecting a protection policy.

About this task

When you use All Assets or select assets by protection policy, the resulting selection may contain a very large number of assets. The asset count refreshes ten times during the asset enumeration process. For most situations, this behavior is enough to enumerate all assets for the asset count. However, if the number of assets is very large, the UI may show only a partial count. In this case, return to the Resource Group Configuration window or check the count on the Summary page and review the final count.

When you try to edit a resource group with many individually-selected assets, you may receive a notification for a 504 Gateway Timeout Error. This error occurs when you try to edit asset selection, as the Select Assets dialog box opens to the Summary page.

When you remove assets from a resource group, circumstances may prevent the removal of a subset of those assets. If a removal operation leaves some assets in place, repeat the operation until all unwanted assets are removed from the resource group.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Resource Groups tab. PowerProtect Data Manager displays a list of configured resource groups, including the number of resources protected by each group.

3. To view the assets in a resource group, click . The Details pane opens and displays a list of assets that are sorted by type.

4. Select a resource group from the list and then click Edit.

The Resource Group Configuration window opens.

The Select Assets list includes one row for each enabled asset type, with a drop-down list that controls asset selection for that type. PowerProtect Data Manager displays the number of selected assets of that type beside the drop-down list.

Authorization 49

The available options for each row are None, All Assets, and Selected Assets.

The remaining steps in this task cover the associated use cases, depending on the current states of the drop-down lists.

5. To change the name or description for the resource group, click .

The Edit Resource Group window opens. Click Save to apply the changes.

To remove all assets of a single type from the resource group:

6. Change the drop-down list to None. The wizard displays a confirmation message.

7. Click Save. The wizard returns to the Resource Group Configuration window.

To add all assets of a single type to the resource group:

8. Change the drop-down list to All Assets. The wizard displays a confirmation message.

9. Click Save. The wizard returns to the Resource Group Configuration window, where PowerProtect Data Manager displays the number of assets of that type beside the drop-down list.

To enable selection of specific assets, where asset selection was previously None or All Assets:

10. If asset selection is All Assets, change the drop-down list to None. The wizard clears the existing asset selection so that you can then select specific assets.

11. Change the drop-down list to Selected Assets. The Select Assets dialog box opens. This dialog box presents two options: select assets by policy or manual selection. You can use either or both methods to add assets to the resource group.

12. Click Next. The wizard moves to the Select By Policy page. This page lists all protection policies that contain assets of this type and provides a cumulative list of selected assets.

To change the existing selection of assets, where asset selection was previously Selected Assets:

13. Click Edit. The Select Assets dialog box opens to the Summary page. This dialog box presents two options: select assets by policy or manual selection. You can use either or both methods to add assets to the resource group.

14. In the Select By Policy container, click Edit. The wizard moves to the Select By Policy page. This page lists all protection policies that contain assets of this type and provides a cumulative list of selected assets.

To select assets from the Select By Policy page and add those assets to the resource group:

15. To include the assets from a protection policy, move the slider for that policy to the right. The wizard adds the corresponding assets to the list of selected assets. Repeat this step for each applicable policy.

16. To exclude the assets from a protection policy, move the slider for that policy to the left. The wizard removes the corresponding assets from the list of selected assets. Repeat this step for each applicable policy.

17. Verify the contents of the list of selected assets, and then click Next. The wizard moves to the Available Assets tab on the Manual Selection page. This tab lists all assets of the selected type, including unprotected assets, which you have not already selected by policy.

18. Use the filters, paging controls, and checkboxes for each row to locate and select or clear assets. The wizard adds or removes the selected assets from the list on the Manually Selected tab. Repeat this step for each applicable asset.

19. Click the Manually Selected tab, verify the contents of the list, and then click Next. The wizard moves to the Summary page. This page lists the assets to be added to the resource group.

Assets are listed separately by selection method, including the number of assets from each protection policy.

20. Click > to expand either list, verify the listed assets and the expected counts, and then click Save.

The Select Assets dialog box closes and the wizard returns to the Resource Group Configuration window.

PowerProtect Data Manager displays the number of assets of that type beside the drop-down list.

21. To change the selection of individual assets of this type, click Edit.

When you finish selecting assets for the resource group:

22. To review the selection for any asset type, click View Assets.

23. Click Done.

PowerProtect Data Manager updates the resource group list to reflect your changes.

50 Authorization

Delete a resource group

Remove any resource groups that are no longer in use. Resource groups must be empty before you can delete them.

Prerequisites

Only the Administrator and the Security Administrator roles can view or modify resource groups. Both the Administrator and the Security Administrator roles can assign assets to resource groups by manual selection, or the

option to select all assets. Only the Administrator role can assign assets to resource groups by selecting a protection policy.

Steps

1. From the left navigation pane, select Administration > Access Control.

The Access Control window appears.

2. Click the Resource Groups tab. PowerProtect Data Manager displays a list of configured resource groups, including the number of resources protected by each group.

3. Select a resource group from the list.

4. Review the Assets column for the resource group and verify that the resource group is empty.

The assignment count in the Assets column must be 0. If the resource group is not empty, remove all assets. Edit a resource group provides instructions.

5. To delete the resource group, click Delete.

Click OK to confirm deletion.

PowerProtect Data Manager removes the resource group from the list.

Authorization 51

Log Settings

Topics:

Authentication Server logging Add a log bundle Server monitoring with syslog

Authentication Server logging The Authentication Server has two types of log files. Administrative logsContain information used for troubleshooting and maintenance. Audit logsContain security-related information that appears in chronological order.

Add a log bundle Use the following procedure to add a log bundle.

About this task

NOTE: You can add a maximum of 10 log bundles.

Steps

1. From the PowerProtect Data Manager user interface, click , and then click Logs.

2. Click Add to add a log bundle. The Add Log Bundle window appears.

3. Select the systems for the log bundle (Data Manager, VM Direct Engines, or, if Cloud DR is deployed, CDRS), set the log bundle duration, and click Save. The Jobs window displays the progress of the log bundle creation. Also, a green banner in the UI indicates that the log bundle has successfully been created. If you want to dismiss the banner, click X.

4. To delete the log bundle, select the box to the left of log bundle and click Delete.

The Log Capacity indicates how much space (in GB) remains on the disk for logs and the percentage of the disk in use for log storage.

5. To download the log bundle, click the bundle name in the Bundle Name column.

Server monitoring with syslog The syslog system logging feature collects system log messages and writes them to a designated log file. You can configure the PowerProtect Data Manager server to send event information in syslog format.

PowerProtect Data Manager serves as a syslog client to send diagnostic and monitoring data to the syslog server. You can access this data to perform audits, monitoring, and troubleshooting tasks.

The syslog server firewall is configured to receive data from PowerProtect Data Manager using the ports listed in Network and Communication Security Settings. If your syslog server uses a port that is not listed, use the instructions in that chapter to open the corresponding port on the PowerProtect Data Manager system.

It is recommended that you configure the PowerProtect Data Manager system to use an NTP server. NTP configuration is required to synchronize the PowerProtect Data Manager system time with the syslog server.

4

52 Log Settings

The selected severity level applies to all selected components. You cannot apply independent severity levels to each component. For example, selecting Critical forwards critical messages from all selected components. An exception is when you select OS Kernel or PPDM Alert and Audit, the corresponding audit log is forwarded by default, regardless of the selected severity level.

If no log messages are transmitted during a 24-hour period, PowerProtect Data Manager generates an alert to check the PowerProtect Data Manager and syslog server connection to verify that there are no problems preventing the exchange of messages.

Configure TLS for syslog forwarding

PowerProtect Data Manager requires the syslog server security certificate to forward logs to the syslog server using TLS. To enable TLS connection, import the syslog server security certificate into PowerProtect Data Manager:

Prerequisites

By default, PowerProtect Data Manager uses anon authentication. If you want to use another form of authentication that the rsyslog protocol supports, such as x509 authentication, contact Customer Support.

Steps

1. Copy the Certificate Authority (CA) self-signed certificate for the syslog server to the PowerProtect Data Manager server at /etc/ssl/certificates/extserver/syslog-server-ca.pem.

NOTE: Do not modify the file name or path.

2. Enter the following commands:

chown admin:app /etc/ssl/certificates/extserver/syslog-server-ca.pem chmod 770 /etc/ssl/certificates/extserver/syslog-server-ca.pem

NOTE: If you change the syslog server or the CA certificate expires, copy the certificate again.

Configure the syslog server

Use the following procedure to enable the syslog server, change the syslog server, change which events are forwarded, and disable syslog forwarding.

Prerequisites

To use TLS for the syslog connection:

Import the syslog server security certificate into PowerProtect Data Manager. By default, PowerProtect Data Manager uses anon authentication. If your syslog server uses another form of

authentication, contact Customer Support.

Steps

1. From the PowerProtect Data Manager UI, click , select Logs, and then click Syslog. The Logs window opens to the Syslog page.

To enable syslog forwarding:

2. Move the Syslog Forwarding slider to the right to enable syslog forwarding.

3. Provide the following information:

IP Address / FQDNIP address or fully qualified domain name of the syslog server. PortPort number for PowerProtect Data Manager and syslog server communications. ProtocolProtocol to use for communications (TLS, UDP, or TCP). ComponentsSyslog message components. Severity LevelSpecify the scope of the messages to forward to the syslog server.

To change the syslog server:

Log Settings 53

4. From the PowerProtect Data Manager UI, click , select Logs, and then click Syslog. The Logs window opens to the Syslog page.

5. Change the following syslog configuration details:

IP Address / FQDNIP address or fully qualified domain name of the syslog server. PortPort number for PowerProtect Data Manager and syslog server communications. ProtocolProtocol to use for communications (TLS, UDP, or TCP).

To change which events are forwarded:

6. From the PowerProtect Data Manager UI, click , select Logs, and then click Syslog. The Logs window opens to the Syslog page.

7. Change the Components and Severity Level.

To disable syslog forwarding:

8. From the PowerProtect Data Manager UI, click , select Logs, and then click Syslog. The Logs window opens to the Syslog page.

9. Move the Syslog Forwarding slider to the left to disable syslog forwarding.

To apply the changes:

10. Click Save.

Next steps

Once the syslog configuration is complete, check the connection status. Go to System Settings > Logs > Syslog and verify that the syslog server connection status indicates Connected. If the syslog server is not connected, the status indicates Not Connected.

Troubleshooting the syslog connection

Review the following information that is related to troubleshooting the syslog connection.

No messages are transmitted to the syslog server

Log messages are generated in the PowerProtect Data Manager services log files, however these messages are not transmitted to the syslog server. If this issue occurs, complete the following tasks:

1. Verify that the PowerProtect Data Manager firewall is using the required ports. If your syslog server uses a different port, open the corresponding port on the PowerProtect Data Manager system.

2. Verify the syslog server firewall. Ensure that the ports are configured to accept data. 3. Verify that the protocol is the same for both PowerProtect Data Manager and the syslog server. If you are using TLS,

PowerProtect Data Manager uses anon authentication by default. If your syslog server uses another form of authentication, contact Customer Support.

54 Log Settings

Network and Communication Security Settings

This chapter describes how to ensure PowerProtect Data Manager uses secure channels for network communication and how to configure PowerProtect Data Manager in a firewall environment.

Topics:

Port usage Communications security settings PowerProtect Data Manager firewall support

Port usage This table summarizes the port requirements for PowerProtect Data Manager and its associated internal and external components or systems. PowerProtect Data Manager audits and blocks all ports that are not listed below.

The PowerProtect DD Security Configuration Guide provides more information about ports for DD systems and protocols.

Table 27. PowerProtect Data Manager port requirements

Source system Destination system Port Protocol TLS supported

Notes

Backup clientsa DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

Backup clientsa DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.

Backup clientsa DD system 2052 TCP No NFS mountd, not for data.

Backup clients DD Global Scale 2053 TCP TLS 1.2 DD Boost connection.

Backup clientsa PowerProtect Data Manager

8443 HTTPS TLS 1.2 REST API service.

Backup clients VMAX SE server 2707 Proprietary TLS 1.2 Backup clients require access to the default port 2707 on the VMAX SE server. Applies to Storage Direct.

Callhome (SupportAssist)

PowerProtect Data Manager

22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.

Callhome (SupportAssist)

PowerProtect Data Manager

443 HTTPS TLS 1.2 SSH for remote support.

ESXi DD systemb 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

ESXi DD systemb 2049 Proprietary TLS 1.2 NFS datastore and DD Boost. NFS is unencrypted. DD Boost is encrypted.

ESXi DD systemb 2052 TCP No NFS mountd, not for data.

5

Network and Communication Security Settings 55

Table 27. PowerProtect Data Manager port requirements (continued)

Source system Destination system Port Protocol TLS supported

Notes

Kubernetes cluster DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

Kubernetes cluster DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.

Kubernetes cluster DD system 2052 TCP TLS 1.2 NFS mountd, not for data.

Kubernetes cluster ESXi 902 TCP TLS 1.2 vSphere client access for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.

Kubernetes cluster Protection engine 9090 HTTPS TLS 1.2/1.3 Required for Tanzu Kubernetes Guest clusters.

Kubernetes cluster vCenter 443 HTTPS TLS 1.2 Primary management interface for vSphere using the vCenter Server, including the vSphere client for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.

NAS protection engine NAS appliance 443 HTTPS TLS 1.2 Management access for Unity and PowerStore appliances.

NAS protection engine NAS appliance 8080 HTTPS TLS 1.2 Management access for PowerScale/ Isilon appliances.

PowerProtect Data Manager

Backup clients 7000 HTTPS TLS 1.2 Microsoft SQL Server, Oracle, Microsoft Exchange Server, SAP HANA, and file system. Requirement applies to Application Direct and VM Direct.

PowerProtect Data Manager

Callhome (SupportAssist)

25 SMTP TLS 1.2 TLS version in use depends on the mail server. TLS used where possible.

PowerProtect Data Manager

Callhome (SupportAssist)

465 TCP TLS 1.2

PowerProtect Data Manager

Callhome (SupportAssist)

587 TCP TLS 1.2

PowerProtect Data Manager

Callhome (SupportAssist)

9443 HTTPS TLS 1.2 REST API for service notification.

PowerProtect Data Manager

DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

PowerProtect Data Manager

DD system 2049 Proprietary No Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.

PowerProtect Data Manager

DD system 2052 TCP/UDP No NFS mountd, not for data.

PowerProtect Data Manager

DD system 3009 HTTPS TLS 1.2 Communication with DDMC for configuration and discovery.

PowerProtect Data Manager

ESXi 443 HTTPS TLS 1.2 Depends on ESXi configuration and version.

PowerProtect Data Manager

Kubernetes cluster 6443 Proprietary TLS 1.2 Connects to the Kubernetes API server. Encryption depends on the Kubernetes cluster configuration.

56 Network and Communication Security Settings

Table 27. PowerProtect Data Manager port requirements (continued)

Source system Destination system Port Protocol TLS supported

Notes

PowerProtect Data Manager supports TLS 1.2.

PowerProtect Data Manager

LDAP server 389 TCP/UDP No Insecure LDAP port, outbound only. Use port 636 for encryption.

PowerProtect Data Manager

LDAP server 636 TCP TLS 1.2 LDAPS, depending on LDAP configuration in use. Outbound only.

PowerProtect Data Manager

NAS appliance 443 HTTPS TLS 1.2 Management access for Unity and PowerStore appliances.

PowerProtect Data Manager

NAS appliance 8080 HTTPS TLS 1.2 Management access for PowerScale/ Isilon appliances.

PowerProtect Data Manager

NAS share 139 TCP TLS 1.2 Windows file server shares (CIFS).

PowerProtect Data Manager

NAS share 443 HTTPS TLS 1.2 NetApp shares (NFS and CIFS). Also used for NAS share verification check.

PowerProtect Data Manager

NAS share 445 TCP TLS 1.2 Windows file server shares (CIFS).

PowerProtect Data Manager

NAS share 2049 TCP TLS 1.2 Linux file server shares (NFS).

PowerProtect Data Manager

NTP server 123 NTP No Time synchronization.

PowerProtect Data Manager

PowerProtect Data Manager - Catalog

9760 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - Configuration Manager

55555 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - Elastic Search

9200 TCP Internal only.

PowerProtect Data Manager

PowerProtect Data Manager - Elastic Search

9300 TCP Internal only.

PowerProtect Data Manager

PowerProtect Data Manager - Embedded VM proxy

9095 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - Quorum peer

2181 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - RabbitMQ

5672 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - Secrets manager

9092 TCP Internal only.

PowerProtect Data Manager

PowerProtect Data Manager - VM Direct infrastructure manager

9097 TCP Internal only. Blocked by firewall.

PowerProtect Data Manager

PowerProtect Data Manager - VM Direct orchestration

9096 TCP Internal only. Blocked by firewall.

Network and Communication Security Settings 57

Table 27. PowerProtect Data Manager port requirements (continued)

Source system Destination system Port Protocol TLS supported

Notes

PowerProtect Data Manager

Protection engine 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.

PowerProtect Data Manager

Protection engine 9090 HTTPS TLS 1.2 REST API service.

PowerProtect Data Manager

Protection engine 9613c Proprietary TLS 1.2

PowerProtect Data Manager

Reporting engine 9002 TCP TLS 1.2 REST API service.

PowerProtect Data Manager

Search Engine 9613c Proprietary TLS 1.2 Infrastructure node agent management of Search Engine nodes.

PowerProtect Data Manager

Search Engine 14251 Proprietary TLS 1.2 Search query REST API endpoint.

PowerProtect Data Manager

SMI-S 5989 HTTPS TLS 1.2 Communication with SMI-S provider. Discovery.

PowerProtect Data Manager

Storage Direct system 3009 HTTPS TLS 1.2 Discovery.

PowerProtect Data Manager

Syslog server 514 TCP/UDP TLS 1.2 Log forwarding to Syslog server.

PowerProtect Data Manager

Syslog server 6514 TCP TLS 1.2 Log forwarding to Syslog server.

PowerProtect Data Manager

Syslog server 10514 TCP TLS 1.2 Log forwarding to Syslog server.

PowerProtect Data Manager

UI 443 HTTPS TLS 1.2 Between the browser host and the PowerProtect Data Manager system.

PowerProtect Data Manager

Update Manager UI 14443 HTTPS TLS 1.2 Connects the host that contains the update package to the PowerProtect Data Manager system.

PowerProtect Data Manager

vCenter 443 HTTPS TLS 1.2 vSphere API for direct restore, discovery, initiating Hot Add transport mode, and restores including Instant Access restore. Depends on vCenter configuration.

PowerProtect Data Manager

vCenter 7444 Proprietary TLS 1.2 vCenter single sign-on.

PowerProtect Data Manager

VMAX Solutions Enabler server

2707 Proprietary TLS 1.2 Storage Direct functionality. PowerProtect Data Manager uses the Solutions Enabler default server port for configuration steps and to control active snapshot management for SnapVX, including for PP-VMAX.

Protection engine DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

Protection engine DD system 2049 Proprietary TLS 1.2 Optional DD Boost client TLS encryption.

Protection engine DD system 2052 TCP No NFS mountd, not for data.

Protection engine DD system 3009 HTTPS TLS 1.2 DD REST API service.

58 Network and Communication Security Settings

Table 27. PowerProtect Data Manager port requirements (continued)

Source system Destination system Port Protocol TLS supported

Notes

Protection engine ESXi 443 HTTPS TLS 1.2 Client connections.

Protection engine ESXi 902 TCP TLS 1.2 vSphere client access.

Protection engine Guest VM 9613c Proprietary TLS 1.2 VM Direct Agent provides capabilities for file-level restore and application- aware protection.

Protection engine NAS agent Docker container

443 HTTPS TLS 1.2 Applies for NAS only. Internal only. Blocked by firewall.

Protection engine Search Engine 14251 TCP TLS 1.2 Search query REST API endpoint.

Protection engine vCenter 443 HTTPS TLS 1.2 Primary management interface for vSphere using the vCenter server, including the vSphere client.

Protection engine vCenter 7444 TCP TLS 1.2 Secure token service.

Protection engine Protection engine - RabbitMQ

4369 TCP Internal only. Blocked by firewall.

Protection engine Protection engine - RabbitMQ

5672 TCP Internal only. Blocked by firewall.

Reporting engine PowerProtect Data Manager

8443 TCP TLS 1.2 REST API service for collecting reporting data.

Search Engine DD system 111 TCP No Server DR. Dynamic port detection and mapping. Used only for port verification, not for data.

Search Engine DD system 2049 Proprietary No Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.

Search Engine DD system 2052 TCP/UDP No Server DR. NFS mountd, not for data.

Source DD system Target DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

Source DD system Target DD system 2049 Proprietary TLS 1.2

Source DD system Target DD system 2051 Proprietary TLS 1.2

Source DD system Target DD system 2052 TCP No NFS mountd, not for data.

Target DD system Source DD system 111 TCP No Dynamic port detection and mapping. Used only for port verification, not for data.

Target DD system Source DD system 2049 Proprietary TLS 1.2

Target DD system Source DD system 2051 Proprietary TLS 1.2

Target DD system Source DD system 2052 TCP No NFS mountd, not for data.

Update Manager UI PowerProtect Data Manager

14443 HTTPS TLS 1.2 Connects the host that contains the update package to the PowerProtect Data Manager system.

User PowerProtect Data Manager

22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.

User PowerProtect Data Manager

80 HTTP No Redirect to HTTPS.

Network and Communication Security Settings 59

Table 27. PowerProtect Data Manager port requirements (continued)

Source system Destination system Port Protocol TLS supported

Notes

User PowerProtect Data Manager

443 HTTPS TLS 1.2 Connects the browser host to the PowerProtect Data Manager system.

User PowerProtect Data Manager

8443 HTTPS TLS 1.2 REST API service.

User Search Engine 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.

User Protection engine 22 SSH TLS 1.2 SSH for support and administration. Encrypted by private key or optional certificates.

vCenter ESXi 443 HTTPS TLS 1.2 vSphere client to ESXi/ESX host management connection.

vCenter PowerProtect Data Manager

443 HTTPS TLS 1.2 vCenter plug-in UI.

vCenter PowerProtect Data Manager

8443 HTTPS TLS 1.2 REST API service.

vCenter PowerProtect Data Manager

9009 HTTPS TLS 1.2/1.3 vSphere APIs for Storage Awareness (VASA) provider, storage policy based management (SPBM) service within PowerProtect Data Manager.

a. Applies to Application Direct, Storage Direct, and VM Direct (VM application-aware only). b. Instant access restore. NFS connection established under PowerProtect Data Manager control of vSphere from the ESXi

node to the DD system. Can be directed to any ESXi node, so allowed ports would be between any ESXi node to any DD system used by PowerProtect Data Manager.

c. Port number is a default which you can change on a per-agent basis, and which can change dynamically in case of listening conflicts.

The term "protection engine" in this table refers to all types of protection engine: VM Direct, NAS, and Kubernetes, unless otherwise specified.

For VM application-aware backups, open the ports for the protection engine and for the backup clients on the guest VM.

For NAS assets, open any custom ports between PowerProtect Data Manager, the NAS protection engine, and the NAS that may be required for access to specific shares. You can supply custom port information for connections to NAS appliances and shares as part of the process for adding NAS asset sources.

Communications security settings The following topics describe how to secure communications between PowerProtect Data Manager and remote systems, such as clients.

Virtual networks (VLANs)

PowerProtect Data Manager can separate management and backup traffic onto different virtual networks (VLANs). Virtual networks help to improve data traffic routing, security, and organization.

The initial steps to configure and add each virtual network are one-time events. The subsequent steps to assign virtual networks to protection policies or assets happen as required.

The PowerProtect Data Manager Administration and User Guide contains information about supported network topologies and how to configure virtual networks. Configuring virtual networks is considered part of modifying the system settings.

60 Network and Communication Security Settings

Typically, you assign virtual networks to protection policies and assets when you create a protection policy. The user guide for each agent type describes this process. However, the PowerProtect Data Manager Administration and User Guide contains instructions to assign virtual networks to existing policies and override network assignments on a per-asset basis.

Configure SSH session timeout

This topic describes how the PowerProtect Data Manager console behaves for connections with prolonged inactivity. These steps also change the behavior of the timeout mechanism that regulates SSH sessions.

About this task

The default SSH session timeout is 3600 seconds (60 minutes).

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Using a Linux text editor, open /etc/ssh/sshd_config.

3. Modify the following property:

Property Description

ClientAliveInterval The number of seconds of inactivity after which PowerProtect Data Manager terminates the SSH session.

4. Save and close the file.

5. Reload the SSH daemon to apply the changes:

systemctl reload sshd

Configure REST API token lifespans

This topic describes PowerProtect Data Manager REST API tokens and the default token expiry intervals. These steps also change the behavior of the token expiry mechanism.

About this task

The REST API uses three separate types of tokens: access, refresh, and component. Access tokens are bearer tokens that authenticate REST API calls. Refresh tokens provide enough information to get a new access token after the access token expires. Component tokens authorize operations between internal system components.

Using refresh tokens enables you to set shorter lifespans on access tokens without causing frequent credential requests. Shorter access token lifespans reduce the risk of compromised token values. The OAuth Authorization Framework provides more information about token types.

The default time unit is MINUTES for all types. You can only change the time unit for refresh tokens. For these tokens, available time units include: DAYS, HOURS, MINUTES, MONTHS, SECONDS, and WEEKS.

The default access token expiry time is 480. The default refresh token expiry time is 1440. The default component token expiry time is 480.

NOTE: Previous releases of PowerProtect Data Manager used the aaa.jwt.token.access-expiration-time property in application-server-custom.properties to configure access token expiry. After an update, any

configured value for aaa.jwt.token.access-expiration-time is ignored in favor of the default value for the new

property. Use the steps here to reconfigure the access token expiry after the update.

Steps

1. Connect to the PowerProtect Data Manager console as an admin user.

To configure access and component token expiry:

2. Using a Linux text editor, open /usr/local/brs/lib/aaa/config/application-jwt-token.yml.

3. Modify the following properties:

Network and Communication Security Settings 61

Property Description

user-access-expiration-time The amount of time after which access tokens expire, in minutes.

component-access-expiration-time The amount of time after which component tokens expire, in minutes.

The minimum recommended expiry times are 15 minutes for access tokens and 120 minutes for component tokens.

4. Save and close the file.

To configure refresh token expiry:

5. Using a Linux text editor, open /usr/local/brs/lib/aaa/config/application-server-custom.properties.

6. Modify the following properties:

Property Description

aaa.jwt.token.chrono-unit The unit for the expiration time properties.

aaa.jwt.token.access-expiration-time (Obsolete) The amount of time after which access tokens expire.

aaa.jwt.token.refresh-expiration-time The amount of time after which refresh tokens expire.

You may see a value in this file for the aaa.jwt.token.access-expiration-time property. However, this property is obsolete and replaced by the access token configuration steps earlier in this procedure. The value here is only used if the user-access-expiration-time property is unavailable.

7. Save and close the file.

After you configure the expiry mechanism for any token type:

8. Change to the root user.

9. Apply the new configuration:

aaa restart

PowerProtect Data Manager firewall support PowerProtect Data Manager is a single node in a virtual appliance that uses the Linux SLES 12 firewall to protect and limit external access to the system. PowerProtect Data Manager uses a direct socket connection to communicate and move data internally and across the network to the required service with minimal overhead.

To enable communication between the PowerProtect Data Manager system and other applications, PowerProtect Data Manager configures firewall rules for ports that are used for inbound and outbound communication.

Modify firewall rules

The PowerProtect Data Manager system configures firewall rules to block inbound and outbound communications on ports that are not required by PowerProtect Data Manager components for communication.

About this task

There are three ways to modify the firewall rules:

For permanent changes, you can add entries to the list of custom ports. For temporary changes, you can use the iptables command, which is part of the Linux operating system. Users should be

familiar with the operation and syntax for iptables, including order of precedence, before using this method. Temporary changes do not persist through firewall restarts.

You can also use the PowerProtect Data Manager REST API to open outbound ports. The PowerProtect Data Manager Public REST API documentation provides instructions for this method.

NOTE: It is recommended that you do not modify existing firewall rules, because modification can impact successful

operations.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

62 Network and Communication Security Settings

For permanent changes:

2. Add port numbers on separate lines to /etc/sysconfig/scripts/custom-ports.

For example:

139 445 6443 8080 Save and close the file.

3. Stop the firewall service:

SuSEfirewall2 stop 4. Start the firewall service:

SuSEfirewall2 start For temporary changes:

5. Open an outbound port:

/usr/sbin/iptables -I OUTPUT -p tcp --dport -j ACCEPT where is the new outbound port.

This example inserts the new rule at the head of the rule chain and opens the specified TCP port from PowerProtect Data Manager to any destination.

6. Open an inbound port:

/usr/sbin/iptables -I INPUT -p tcp --dport -j ACCEPT where is the new outbound port.

This example inserts the new rule at the head of the rule chain and opens the specified TCP port to PowerProtect Data Manager from any destination.

Network and Communication Security Settings 63

Data Security Settings

Topics:

Data storage security settings Encrypting sensitive data Backup and restore encryption Audit logging and monitoring system activity Configure compliance verification

Data storage security settings The following topics describe how you can secure PowerProtect Data Manager resources and backup data against unauthorized access.

Scopes of authority and Resources and resource groups also describe how to limit access to resources and backup data for authorized users.

Protection engine settings

The PowerProtect Data Manager Virtual Machine User Guide contains information about configuring the user-accessible options for protection engines.

Some protection engines, such as the transparent snapshot data mover (TSDM), have no configuration options. The PowerProtect Data Manager Virtual Machine User Guide advises that you use the default virtual switch configuration which rejects MAC address changes, forged transmits, and promiscuous mode connections.

The user guide also provides the necessary instructions and privileges to configure a dedicated vCenter user account for TSDM.

Encrypting sensitive data PowerProtect Data Manager uses an encrypted lockbox to securely store sensitive information in a central location.

Credential security provides more information about how PowerProtect Data Manager uses lockboxes and how the stored secrets are protected.

Backup and restore encryption Using Transport Layer Security (TLS), you can encrypt backup or restore data that is in transit for centralized and self-service operations with DD Boost encryption. Encryption of backup and restore data in-flight is available for agent host assets, Kubernetes cluster assets and Network-attached storage (NAS) assets only.

By default, PowerProtect Data Manager supports an encryption strength of HIGH and uses DD Boost anonymous authentication mode. The DD Boost encryption software uses the ADH-AES256-SHA cipher suite. The DD Boost for OpenStorage Administration Guide provides more information about the cipher suite for high encryption.

The following table lists the workloads and operations that support encryption of data in-flight:

NOTE: Refer to the agent user guides for more information about the centralized and self-service operations that are

supported.

6

64 Data Security Settings

Table 28. Supported workloads

Workload Centralized backup Centralized restore Self-service backup Self-service restore

File System with Application Direct

Yes Yes (image-level restore only)

Yes Yes (image-level restore only)

Kubernetes cluster Yes Yes N/A Yes (from the most recent backup)

Microsoft SQL Server with Application Direct

Yes Yes (database-level restore only)

Yes

Yes (database-level restore only)

Microsoft Exchange Server with Application Direct

Yes N/A Yes Yes

NAS Yes Yes N/A N/A

Oracle with Application Direct

Yes N/A Yes Yes

SAP HANA with Application Direct

Yes N/A Yes Yes

Enabling encryption imposes additional overhead. Backup and restore performance for any client could be affected by 5-20% with encryption enabled.

You can enable or disable backup and restore encryption in the PowerProtect Data Manager UI.

PowerProtect Data Manager supports backup and restore encryption for all supported DD Boost and DDOS versions. The most up-to-date software compatibility information for PowerProtect Data Manager is provided by the E-Lab Navigator.

NOTE: You do not need to enable in-flight encryption on connected DD systems. If DD encryption settings exist, the higher

setting takes precedence.

Enable backup and restore encryption

You can ensure that the backup and restore content is encrypted when read on the source system, transmitted in encrypted form, and then decrypted before it is saved on the destination storage.

Prerequisites

Review the information in Backup and restore encryption to learn more about backup and restore encryption.

The encryption settings determine if the data transfer is encrypted while in-flight during backup and restore operations.

For Microsoft SQL Server, Microsoft Exchange Server, File System, SAP HANA, and Oracle workloads, backup and restore encryption is only supported for Application Direct hosts.

When a new host is added to PowerProtect Data Manager, host configuration is run to push the encryption settings to the host.

Only hosts that have the same version of PowerProtect Data Manager application agents installed support the host configuration.

About this task

Steps

1. From the PowerProtect Data Manager UI, click , and then select Security.

The Security dialog box appears.

2. Click the Backup/Restore Encryption switch so it is enabled, and then click Save.

Data Security Settings 65

Next steps

The Jobs > System Job window of the PowerProtect Data Manager UI creates a job to enable protection encryption. This job pushes encryption settings to the hosts to be used for self-service operations. Within the system job, a host configuration job is created for each host. If an error occurs, you can retry the system job or individual host configuration job.

NOTE: For centralized backup and restore operations, PowerProtect Data Manager sends the encryption settings to the

application agents on the Application Direct hosts and network-attached storage (NAS).

You can disable encryption for backup and restore content by clicking the Backup/Restore Encryption switch. PowerProtect Data Manager creates a system job in the Jobs > System Job window to disable protection encryption.

Audit logging and monitoring system activity The Linux audit daemon (auditd) tracks and logs security-relevant events on the PowerProtect Data Manager system.

Users with the Administrator role can use auditd to monitor the following events:

File access System calls Login and logout activity of users

Audit logging enables you to discover access violations, changed or deleted files, failed authentication, and so on.

Configuring the audit service

The Linux auditd daemon captures events from the Linux kernel and records the entries in a log file for inspection. The auditd log entries are based on a set of rules that specify which events are defined in the log files. Auditing is disabled by default. To modify the default audit rules, edit the /etc/audit/audit.rules file.

About this task

To enable auditing, perform the following steps.

NOTE: You can also use the YaST tool to enable and disable auditing.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. To start auditd, type one of the following commands:

Continuous loggingsystemctl enable auditd Log until system restart service auditd start

NOTE: To disable continuous auditd logging, type systemctl disable auditd. To stop auditd, type service auditd stop

3. To review auditd log entries, review the files in the /var/log/audit/audit.log directory.

NOTE: The /var/log/audit/audit.log directory is limited to five files, and log rotation occurs when the file size

reaches 6 MB. To modify the default configuration, edit the /etc/audit/auditd.conf file, where:

num_logsSpecifies how many log files to concurrently retain in the directory.

max_log_fileSpecifies the maximum log file size in MB.

max_log_file_action Instructs the auditd daemon to rotate the log files when the log files reach the maximum

size.

Do not modify other parameters unless specifically instructed to do so by Support.

4. To produce a summary report from the audit logs, type aureport --summary

66 Data Security Settings

Viewing audit events in the UI

With the Administrator, Backup Administrator, Restore Administrator, and User roles, you can view audit events to monitor system activity.

About this task

The following actions generate an audit event:

User login and logout Creating, deleting, or updating a user Assigning or unassigning a role to a user

To view audit events in the UI, perform the following steps.

Steps

1. Log in to the PowerProtect Data Manager UI with an account that has one of the indicated roles.

2. Go to Alerts > Audit Logs.

View and manage alerts

Alerts enable you to track the performance of data protection operations in PowerProtect Data Manager so that you can determine whether there is compliance to service level objectives. With the Administrator, Backup Administrator, Restore Administrator, or User role, you can access the alerts from the Alerts window. However, only some of these roles can manage alerts.

Steps

1. From the PowerProtect Data Manager UI left navigation pane, select Alerts.

You can also click the icon in the top banner, and then click the links to view unacknowledged alerts of all statuses (critical, warning, and informational), or only the unacknowledged critical alerts.

NOTE: Clicking the New tag displays only the unacknowledged alerts that have been generated within the last 24 hours.

The number that appears next to the is the total number of unacknowledged critical alerts over the last 24 hours.

The Alerts window displays.

2. Select the System tab. A table with an entry for each applicable alert displays.

By default, only unacknowledged critical alerts from the last 24 hours display, unless you selected to view all

unacknowledged alerts from the links under the icon.

If filter tags have already been applied, the window displays these filter tags. Click X next to any of these filter tags to clear a filter, and the table view updates with the applicable selections. You can sort the alerts in the table by Severity (Critical, Warning, Informational), Date, Category, or Status (Acknowledged or Unacknowledged).

3. Select the time (last 24 hours, last 3 days/7 days/30 days), a specific date, or a time range for the alerts that you want to view. You can also select All Alerts from this list to display information for all alerts that match the filter tags.

4. Optionally, clear the Show only unacknowledged alerts checkbox if you want to view both acknowledged and unacknowledged alerts. If you clear this checkbox, the Unacknowledged filter tag is also cleared.

5. To view more details about a specific entry, click next to the entry in the table.

6. For the following steps, log in to the PowerProtect Data Manager UI with an account that has the Administrator, Backup Administrator, or Restore Administrator role.

7. To acknowledge one or more alerts, select the alerts and then click Acknowledge.

8. To add or edit a note for the alert, click Add/Edit Note, and when finished, click Save.

9. To export a report of alert information to a .csv file which you can download for Excel, click Export All.

NOTE: If you apply any filters in the table, exported alerts include only those alerts that satisfy the filter conditions.

Data Security Settings 67

Export audit logs

With the Administrator or Security Administrator role, you can export audit log records to a CSV file of audit data that you can download and open in Excel. Only the Administrator role can change the retention period.

Steps

1. Go to Administration > Audit Logs.

The list of audit logs appears, which displays the following information: Changed at Audit Type Description Changed By Object Changed Previous Values New Values

2. To set the retention period (in days) for the audit log, select Set Boundaries and update the retention period.

Only the Administrator role can perform this step.

3. To add a note for the audit log, click >, enter a note in the Note field, and click Save.

4. Click Export All.

Configure compliance verification Some maintenance procedures may require you to temporarily disable compliance verification. Use this task only when referenced elsewhere.

About this task

Appendix REST API Procedures describes alternative ways for advanced users to configure compliance verification without restarting the verification service.

Steps

1. Connect to the PowerProtect Data Manager console as an admin user.

2. Change directory:

cd /usr/local/brs/lib/compliance-verification/config 3. Disable compliance verification:

a. Create a configuration file and add the compliance verification flag by typing the following command:

echo compliance.copydeletion.enable=false > application.properties b. Using a Linux text editor, open docker-compose.yml.

c. Configure PowerProtect Data Manager to use the new configuration file by adding the following entry on one line to the end of the file:

- /usr/local/brs/lib/compliance-verification/config/application.properties:/ compliance-verification/config/application.properties

d. Save and close the file. e. Change to the root user. f. Apply the new configuration:

compliance-verification restart 4. Enable compliance verification:

a. Using a Linux text editor, open application.properties.

b. Change the compliance verification compliance.copydeletion.enable flag to true.

c. Save and close the file. d. Change to the root user. e. Apply the new configuration:

compliance-verification restart

68 Data Security Settings

Cryptography

Topics:

Security certificates PowerProtect Data Manager certificate management

Security certificates A default installation of PowerProtect Data Manager creates self-signed security certificates that secure communication with other components. As you configure the server and add assets, PowerProtect Data Manager stores additional certificates for each component.

The Administrator and Security Administrator roles can review the Administration > Certificates page in the UI. This page contains three tabs that list the installed security certificates. Each tab provides information about certificate uses, expiry dates, issuers, and so forth.

Using descriptive hostnames and fully qualified domain names for each application agent or external component aids in matching security certificates to assets or systems. You can compare the values in the Host column for the certificates to the hostnames and addresses for asset sources, protection storage, and so forth. Common names are arbitrary strings of characters but frequently include hostnames and IP addresses, especially for external components.

Internal components

The certificates on the Internal tab secure access to components that are part of the PowerProtect Data Manager server, such as the UI and REST API:

ppdmserver holds the certificate that PowerProtect Data Manager presents to secure communication with the UI and the REST API.

restserver holds the default self-signed certificates from deployment.

PowerProtect Data Manager certificate management provides instructions to replace the default self-signed security certificates on the Internal tab with certificates from an approved certificate authority (CA) of your choice.

If you replace the self-signed certificates, PowerProtect Data Manager replaces the ppdmserver and restserver certificates with a new certificate called custom. This single entry holds the host certificate that you provided during replacement. Both the UI and the REST API use the custom certificate.

Application agents

The certificates on the Application Agents tab secure access to the agents, which are under the control of PowerProtect Data Manager but exist outside the server. Application agents create certificate signing requests during the registration process to obtain signed security certificates from PowerProtect Data Manager. This list shows application agents that have received signed certificates.

The process of creating an application agent certificate incorporates information about the asset source fully qualified domain name and IP address. The agent provides a unique common name during the signing request.

External components

The certificates on the External Servers tab secure access to components or systems that are beyond the control of the server, but where you have approved the communication.

For example, directory services and protection storage systems that provide services to PowerProtect Data Manager are external components.

7

Cryptography 69

Protection engines and security certificates

Protection engines, whether for VM Direct, NAS, or Kubernetes, are considered under the control of PowerProtect Data Manager.

PowerProtect Data Manager manages all aspects of the protection engine life cycle, including deployment, upgrade, and removal. Customers do not regularly interact with protection engines other than through PowerProtect Data Manager.

Even if you replace the default self-signed security certificates for other components, protection engines continue to use the self-signed certificates.

Application agents and security certificates

If you have replaced the default self-signed security certificates, the behavior of application agents depends on the installed version of the agent software.

For application agents from PowerProtect Data Manager 19.8 and earlier, these legacy agents are unaware of changes to the certificates that secure communication with the server. Legacy agents lack the ability to use the new security certificates. Subsequently, legacy agents always use the default self-signed security certificate to secure all communication with PowerProtect Data Manager, even if you replace the UI and REST API certificates. In the UI, this is the restserver certificate on the Internal tab.

Application agents from PowerProtect Data Manager 19.9 and later can automatically retrieve new security certificates from the server at registration. Agents then use the new certificates to secure communication with PowerProtect Data Manager.

Application agent security certificate files

For Windows assets, the certificates reside in the DPSAPPS\AgentService\ssl folder, which is related to the location where you installed the application agent software.

globalca.pemthe custom server certificate.

ecdm-rootca.pemthe PowerProtect Data Manager server root certificate.

privKey.csrthe certificate signing request from which the signed application agent certificate is generated.

privKey.pemthe private key for the application agent certificate signing request.

agent-cert.pemthe signed application agent certificate.

If you have replaced the PowerProtect Data Manager server certificates, globalca.pem contains the new security certificates from the server.

Exchange the PowerProtect Data Manager security certificate with external components

While PowerProtect Data Manager maintains a certificate store for trusted external components, you can also exchange the server certificate with external components for greater protection.

PowerProtect Data Manager automatically presents the server certificate during the initial handshake when you connect to the server from an external component. The external component normally accepts and stores the server certificate for later use and authentication. No further action is required.

If the server certificate was not automatically presented or retained, you can get the certificate through the REST API. The PowerProtect Data Manager Public REST API documentation provides more information.

Use curl or a REST API client of your choice. An access token is not required. However, the REST API client may require an additional parameter to allow connections with servers that use self-signed certificates.

GET https://{{server}}:{{port}}/api/v2/jwks The REST API service returns a status code and the server certificate:

200 OK { "keys": [ { "kty": "EC",

70 Cryptography

"use": "sig", "crv": "P-256", "kid": "a86a7118-99f9-4768-bdda-8012474c8685", "x5c": [ "MIIDBTCCAe2gAwIBAgIESvEK5DANBgkqhkiG", "MIIDizCCAnOgAwIBAgIEMayrSDANBgkqhkiG" ], "x": "GdPBk9pB5VkppISLMHhKaQ5EIBsPeaoERgarTagRJko", "y": "QiVYHOUdiGPzCW8NvJifB5qVkShDcmsKd8F2g_zdGvE", "alg": "ES256" }, { "kty": "RSA", "e": "AQAB", "use": "sig", "kid": "7452f2bb-3a83-4569-a0fc-7fe255284fb4", "alg": "RS256", "n": "jTgO5NHdgzLhkv619gjh5Uz07v8-ZFHtpsDT" } ] } Some values in this example were truncated to fit the available space.

Import security certificates for external components through the REST API

Where communication with an external component requires a security certificate, you can use the REST API to import that security certificate to PowerProtect Data Manager. You must have the public certificate chain for the external component in either PEM or Base64 format.

About this task

The certificate examples in this task are simplified for clarity and space.

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice and supply a valid access token with each call after the log-in. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Certificates for external components are imported to the PowerProtect Data Manager truststore under an alias composed of three parameters: host:port:type. The certificate ID is a Base64-encoded representation of this alias.

In this task, {{external-component}} represents the FQDN for the external component. {{remote-port}} represents the port number through which interaction with the component takes place. {{cert-type}} represents one of the following certificate types: HOST, ROOT, or INTERMEDIATE.

Steps

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator or Security Administrator role.

Record the access token.

2. (Optional) Import the security certificate in PEM format:

POST https://{{server}}:{{port}}/api/v2/certificates

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "host": "{{external-component}}", "port": "{{remote-port}}", "type": "{{cert-type}}", "certificateChain": "{{PEM-cert}}" } Replace {{PEM-cert}} with a \n-delimited single-line string that represents the contents of the certificate chain. For example:

Cryptography 71

-----BEGIN CERTIFICATE----- \nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n--- --END CERTIFICATE-----\n

The REST API service returns a status code.

3. (Optional) Import the security certificate in Base64 format:

POST https://{{server}}:{{port}}/api/v2/certificates

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "host": "{{external-component}}", "port": "{{remote-port}}", "type": "{{cert-type}}", "certificateChain": "{{Base64-cert}}" } Replace {{Base64-cert}} with a Base64-encoded single-line string that represents the contents of the certificate chain. For example:

"certificateChain": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSU9rRENDRF"

The REST API service returns a status code.

PowerProtect Data Manager certificate management The following topics describe how to replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved CA. You can replace the certificates for the UI server and the REST API.

If you have added any vCenter servers, reinstall the PowerProtect plug-in after you replace the security certificates. Reinstall the PowerProtect plug-in for the vSphere client provides more information.

Regardless of the method that you select, if the UI continues to present the default self-signed security certificates, Restart the web service provides instructions.

Prerequisites

The new host certificate must:

Contain the PowerProtect Data Manager server fully qualified domain name in the Subject Common Name (CN) and Subject Alternative Name (SAN) fields.

Not contain the PowerProtect Data Manager server IP address in the SAN field.

UI method

Providing security certificates over HTTPS is secure enough for most environments. Where additional precautions are required, use the manual method to replace the certificates.

Replacing the security certificates through the PowerProtect Data Manager UI requires a private certificate in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format.

Complete Replace security certificates through the UI.

72 Cryptography

CLI method

The CLI method requires a private key in PKCS#1 (RSA) PEM format and a public certificate chain in PEM format. Use a secure method to transfer the certificates and keys to the PowerProtect Data Manager server.

Complete Replace security certificates with the CLI tool. Appendix REST API Procedures describes alternative ways for advanced users to manually replace the security certificates.

Virtual networks

Adding a virtual network creates a PowerProtect Data Manager interface on that virtual network. If you add a virtual network after you replace the default self-signed certificates, then the replacement certificates may not match the new interface. In this case, connections through the new interface can still produce a certificate warning even when the default interface does not.

To avoid this condition, install wildcard certificates for environments with virtual networks, and access the virtual network interfaces through FQDNs. For example, if the PowerProtect Data Manager server is test.example.com, then:

Name the virtual network interfaces using a subdomain pattern such as vlan-10.test.example.com, vlan-20.test.example.com, and so forth.

Replace the default certificates with signed wildcard certificates for *.test.example.com. Use the FQDN vlan-10.test.example.com to access PowerProtect Data Manager from VLAN 10, and so forth.

Before you replace the security certificates, review the applicable limitations of wildcard certificates and requirements for Subject Alternative Names.

Replace security certificates through the UI

This method replaces the certificates for the UI server and the REST API. Only the Administrator and the Security Administrator roles can replace the certificates.

Prerequisites

Review the information in PowerProtect Data Manager certificate management.

Steps

1. From the left navigation pane, select Administration > Certificates.

The Certificates window appears.

2. On the Internal tab, click Replace Certificates. The Replace Certificates dialog box opens.

3. For the server's private certificate, click Select File and browse to the file that contains the RSA private certificate.

Alternatively, you can paste the contents of the certificate file into the corresponding field.

PowerProtect Data Manager validates the input. Correct any errors.

4. If the private certificate is encrypted, the Encrypted Private Key Password field appears. Type the password.

5. For the server's public certificate chain, click Select File and browse to the file that contains the signed certificate chain.

Alternatively, you can paste the contents of the certificate file into the corresponding field.

PowerProtect Data Manager validates the input. Correct any errors.

6. Click Replace.

PowerProtect Data Manager replaces the security certificates for the UI server and the REST API.

7. For any existing UI sessions, refresh the page to allow the new certificates to take effect.

Next steps

If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client provides more information.

Cryptography 73

Replace security certificates with the CLI tool

This method replaces the security certificates for the UI server and the REST API.

Prerequisites

Review the information in PowerProtect Data Manager certificate management.

About this task

This task assumes that private-key.pem holds the security certificate's private key and that public-cert.pem holds the public certificate chain.

Steps

1. Connect to the PowerProtect Data Manager console as an admin user.

2. Securely copy private-key.pem and public-cert.pem to the /home/admin/.config directory.

3. Change to the /home/admin/.config directory:

cd /home/admin/.config 4. Verify the certificate and key permissions:

ls -l The console displays output similar to the following:

-rwx------ 1 admin admin 1675 Aug 28 16:57 private-key.pem -rwx------ 1 admin admin 3824 Aug 28 16:58 public-cert.pem

5. Replace the existing security certificates:

ppdmtool -replacecert -key /home/admin/.config/private-key.pem -cert /home/admin/.config/ public-cert.pem

For encrypted keys, include a -password parameter.

6. For any existing UI sessions, refresh the page to allow the new certificates to take effect.

Next steps

If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client provides more information.

Reinstall the PowerProtect plug-in for the vSphere client

After you replace the default self-signed security certificates, there may be a brief delay before PowerProtect Data Manager exchanges the new certificates with attached vCenters.

About this task

During this period, you may see errors in the vSphere client PowerProtect portlet when you select virtual machines:

Service Unavailable: Please contact your administrator. No healthy upstream. The PowerProtect plug-in automatically refreshes the connection at the top of every hour and applies the new certificates to correct the condition. To immediately apply the new certificates, complete this task to reinstall the PowerProtect plug-in for each attached vCenter.

The PowerProtect Data Manager Administration and User Guide provides more information about working with the PowerProtect portlet and plug-in.

Only the Administrator role can reinstall the plug-in.

Steps

1. From the left navigation pane, select Infrastructure > Asset Sources.

74 Cryptography

The Asset Sources window appears.

2. On the vCenter tab, select the affected vCenter, and then click Edit. The Edit vCenter dialog opens.

3. For vSphere Plugin, clear Install.

4. Click Save. PowerProtect Data Manager removes the PowerProtect plug-in from the vCenter.

5. In the vSphere client, look for a notification that the PowerProtect plug-was removed, and then click REFRESH BROWSER.

If you do not have a notification, log out, and then log in again.

6. Verify that the PowerProtect portlet does not appear when you select virtual machines.

7. In the PowerProtect Data Manager UI, select the affected vCenter again, and then click Edit. The Edit vCenter dialog opens.

8. For vSphere Plugin, select Install.

9. Click Save. PowerProtect Data Manager installs the PowerProtect plug-in for the vCenter.

10. In the vSphere client, look for a notification that the PowerProtect plug-in was successfully deployed, and then click REFRESH BROWSER.

If you do not have a notification, log out, and then log in again.

11. Verify that the PowerProtect portlet appears when you select virtual machines and does not display any errors.

Restart the web service

When you replace the security certificates, the UI may continue to present the default self-signed security certificates. This result can occur regardless of the method that you use to replace the certificates. In this case, restart the web service to apply the changes.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Stop the web service:

systemctl stop nginx 3. Restart the web service:

systemctl start nginx

Next steps

After the web service starts, verify that the UI presents the replacement security certificates.

Exchange the new security certificates with vCenter for SPBM

When you replace the security certificates or upgrade PowerProtect Data Manager, you may need to exchange the new certificates with vCenter for storage policy based management (SPBM).

Steps

1. Obtain the new PowerProtect Data Manager root certificate.

Use SCP or another file transfer utility to download the certificate at /etc/ssl/certificates/custom/ globalca.pem from the server.

2. Add the vCenter as an asset source and complete asset discovery.

The PowerProtect Data Manager Administration and User Guide provides more information.

3. Add the new PowerProtect Data Manager root certificate to the vCenter certificate store.

The VMware documentation provides more information.

4. Register PowerProtect Data Manager with SPBM:

The VMware documentation provides more information. Select the top-level vCenter host.

Cryptography 75

Value Description

Name Any descriptive name. For example, PowerProtectDataManager-FQDN.

URL https://PowerProtectDataManager-FQDN:9009/vasa/version.xml Username A PowerProtect Data Manager user with the Administrator role.

Password The corresponding account password.

Substitute the placeholders with the PowerProtect Data Manager fully qualified domain name.

Results

PowerProtect Data Manager is ready to work with SPBM.

Next steps

If you upgrade PowerProtect Data Manager after replacing the security certificates and exchanging the certificates with SPBM, perform the following steps:

1. Obtain the PowerProtect Data Manager root certificate as described in this task. 2. Add the root certificate to the vCenter certificate store as described in this task.

The registration status shows Rescanning error or Offline until the session refreshes to use the new security certificate. Refreshes happen at the top of every hour. To immediately apply the new certificates, remove the SPBM storage provider, and then repeat step 4.

Remove the PowerProtect Data Manager SPBM security certificates from vCenter

When you replace the security certificates, you can remove the old certificates from vCenter to clean up the certificate store.

Prerequisites

Review VMware KB articles 2111411 and 2146011.

CAUTION: Remove only the root certificate that enables PowerProtect Data Manager to work with SPBM.

Steps

1. Open the vCenter server appliance management interface.

Go to https://vCenter:5480.

2. Enable SSH access.

The VMware documentation provides more information.

3. Establish an SSH session to the vCenter server appliance and then open an elevated BASH shell session.

VMware KB article 2111411 provides instructions.

4. Remove the PowerProtect Data Manager SPBM security certificates from the certificate store.

VMware KB article 2146011 provides instructions for expired or expiring certificates, but the procedure is the same to remove the PowerProtect Data Manager root certificate. The VMware KB article provides instructions for vCenter server appliances and for Windows vCenter servers.

Use the information from the certificate on the PowerProtect Data Manager server at /etc/ssl/certificates/ custom/globalca.pem to identify the certificate.

76 Cryptography

Security Updates and Patching

Topics:

Security updates and patching Update the Velero or OADP version used by PowerProtect Data Manager

Security updates and patching Most security updates for PowerProtect Data Manager arrive as part of product updates to subsequent releases.

The PowerProtect Data Manager Administration and User Guide and the PowerProtect Data Manager Deployment Guide for each supported platform provide instructions for updating PowerProtect Data Manager. Use the instructions in Authenticity and Integrity to verify product updates.

Information about security updates and any applicable out-of-cycle updates for PowerProtect Data Manager are posted to Customer Support and included as part of an applicable Dell Security Advisory (DSA).

The following topics provide information about security updates for third-party and embedded components.

Update the Velero or OADP version used by PowerProtect Data Manager When PowerProtect Data Manager is configured to protect Kubernetes clusters, Velero is used for backing of Kubernetes resources. In an OpenShift environment, PowerProtect Data manager uses OADP to deploy Velero. Each PowerProtect Data Manager release uses a specific version of Velero by default, which is documented in the file /usr/local/brs/lib/cndm/ config/k8s-image-versions.info. If you must update the Velero or OADP version that PowerProtect Data Manager uses in order to pick up the latest security fixes, perform the following procedure.

Prerequisites

NOTE: The Velero version should be updated to an incremental patch build only. A minor or major version of Velero or

OADP that is later than the default version that PowerProtect Data Manager uses might not be compatible.

Steps

1. Log in to PowerProtect Data Manager as an admin user.

2. Open the file /usr/local/brs/lib/cndm/config/k8s-dependency-versions-app.properties.

3. In a non-OpenShift environment, add the following line to this file to update the Velero version, and then save the file:

k8s.velero.version=vx.y.z Where vx.y.z is the Velero incremental patch version.

4. In an OpenShift environment, add the following line to this file to update the OADP version, and then save the file:

k8s.oadp.version=x.y.z Where x.y.z is the OADP incremental patch version.

5. Restart the CNDM service by running the command cndm restart, and then wait for a few seconds for the service to restart.

6. From the PowerProtect Data Manager UI, run a manual discovery of the Kubernetes cluster. When the discovery completes successfully, the configuration that is stored in the configuration map ppdm-controller- config on the Kubernetes cluster powerprotect namespace updates.

8

Security Updates and Patching 77

7. Run the following commands to delete the powerprotect-controller pod on the Kubernetes cluster. This action forces a restart, during which the changes take effect. This step should be performed when there are no backup or restore operations in progress.

kubectl get pod -n powerprotect kubectl delete pod powerprotect controller pod name -n powerprotect

8. Repeat steps six and seven for each Kubernetes cluster that is protected by PowerProtect Data Manager.

78 Security Updates and Patching

Authenticity and Integrity

Topics:

About product authenticity and integrity Verification

About product authenticity and integrity

PowerProtect Data Manager uses multiple methods to protect product code and downloads against compromise or corruption. These methods include SHA-256 checksums and digital signatures that you can verify through the methods included in this chapter.

The Drivers & Downloads area on Customer Support provides a set of checksum values for every file.

Critical processes, such as the deployment and update workflows, automatically check authenticity and integrity, and fail if either is compromised. However, there are several points where you should verify components and binaries before using them:

After you download the deployment or update packages. After you download the application agents and other PowerProtect Data Manager installable binaries. After you download hotfixes.

Some procedures, such as PowerProtect Data Manager deployment and updates, contain steps or opportunities to verify certificates or signatures.

Verification The following topics describe how you can verify the authenticity and integrity of PowerProtect Data Manager components and binaries. Verification typically includes confirmation that the components have not changed since the digital signatures were applied.

Most commonly, PowerProtect Data Manager components and binaries are either digitally signed or provided along with cryptographic checksums that you can use to verify the files.

Checksums for each component or binary may be provided on Customer Support, in KB articles, in this guide, or within PowerProtect Data Manager itself.

If your environment does not already contain a trusted root certificate authority (CA) for Entrust Code Signing Root Certification Authority - CSBR1, some verification operations may fail. In these cases, you can import the required root certificate to verify the signatures. For example, into your vCenter server.

Verify the signer or signers for Windows binaries

Use these steps to confirm that a Windows executable file or driver was signed by Dell and has not changed since the signing.

About this task

Some components, such as the File System and Microsoft Exchange Server agents, use drivers which both Dell and Microsoft have signed. These agents use block-based backup (BBB) drivers for backup and restore operations. The driver (nsrbbb.sys) resides in the Windows system folder, typically C:\Windows\System32\drivers. For dual-signed binaries, ensure that the signature list contains entries for both Dell and Microsoft.

Steps

1. Locate and select the file in the Windows File Explorer.

9

Authenticity and Integrity 79

2. Right-click the file and select Properties. The Properties sheet opens to the General tab.

3. Select the Digital Signatures tab. The tab displays a list of the digital signatures that are associated with the file.

4. Verify that the signature list includes an entry for Dell Technologies.

5. (Optional) Click Details to inspect the digital signature fields.

Verify the vendor for Linux (RPM-based) packages

Use these steps to confirm that a Linux RPM package file was signed by Dell and has not changed since the signing.

Steps

1. Open a terminal window or shell session.

2. Change directory to the location of the package file.

3. Check the properties for the package file:

rpm -qip package | grep Vendor where package is the package filename.

4. Verify that the package vendor is Dell EMC Corporation.

Verify the vendor for Linux (Debian-based) packages

Use these steps to confirm that a Linux Debian package file was signed by Dell and has not changed since the signing.

Steps

1. Open a terminal window or shell session.

2. Change directory to the location of the package file.

3. Check the properties for the package file:

dpkg-deb --showformat='${Package}\t${Version}\t${Maintainer}\n' --show package where package is the package filename.

4. Verify that the package vendor is Dell EMC support .

Verify GPG signatures for Linux (RPM-based) packages

Use these steps to confirm that a Linux RPM package file was signed by Dell and has not changed since the signing.

Prerequisites

For GnuPG (GPG)-signed RPM package files, the public keys are valid for one year. Use the Dell public key for the year that the package was signed when you verify each package file. These annual public keys are provided as part of knowledge base (KB) articles KB000180913 and KB000197389.

Steps

1. Open a terminal window or shell session.

2. Change directory to the location of the package file.

3. Verify that the package file has a signature:

rpm --checksig -v package where package is the package filename.

If the package file has a signature, output similar to the following appears:

80 Authenticity and Integrity

package: Header V3 RSA/SHA1 Signature, key ID c5dfe03d: NOKEY Header SHA1 digest: OK 81e359380a5e229d96c79135aea58d935369c827) V3 RSA/SHA1 Signature, key ID c5dfe03d: NOKEY MD5 digest: OK (cc2ac691f115f7671900c8896722159c) The NOKEY messages indicate that the Linux system does not recognize the signing key.

4. Locate the applicable Dell public key in the KB article.

Copy the public key to a new text file on the Linux system and save the file.

5. Import the Dell public key to the local trust store:

rpm --import keyfile where keyfile is the text file that you created in a previous step.

6. With the Dell public key imported, reverify that the package file has a valid signature:

rpm --checksig -v package where package is the package filename.

If the package file has a valid signature, output similar to the following appears:

package: Header V3 RSA/SHA1 Signature, key ID c5dfe03d: OK Header SHA1 digest: OK (81e359380a5e229d96c79135aea58d935369c827) V3 RSA/SHA1 Signature, key ID c5dfe03d: OK MD5 digest: OK (cc2ac691f115f7671900c8896722159c) The OK messages indicate that the Linux system recognizes that the package was signed by a trusted key.

Verify the signature for JAR files

Some PowerProtect Data Manager components come in Java Archive (JAR) format. You can confirm that a signed JAR file has not changed since the signing.

Ensure that your Java environment is correctly configured and that you know the installed location of the Java Runtime Environment (JRE) or Java Development Kit (JDK). For example, by placing the Java locations in your system path. Current versions of the JDK contain the correct root certificate authority.

Open a command prompt, terminal window, or shell session and type the following command:

jarsigner -verify where is the name of the JAR file. If the JAR file is not in the current directory, the file path is also required.

The following output appears:

jar verified. Java verifies that the contents of the JAR file have not changed since the archive was signed. Observe the output for errors.

For more information about the signature on the JAR file, use the -verbose parameter.

Verify SHA-256 checksums in Windows

Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides.

Open the command prompt and type the following command:

certutil -hashfile SHA256 where is the name of the downloaded file. If the downloaded file is not in the current directory, the file path is also required.

Output similar to the following appears:

SHA256 hash of file : 61 00 a8 28 82 99 86 f6 0c 43 dd e4 f8 8d 44 53 25 ab 55 48 1f 50 d9 9d 65 4a 87 70 67 54

Authenticity and Integrity 81

f7 b2 CertUtil: -hashfile command completed successfully. Compare the computed checksum to the checksum that you obtained with the downloaded file. The output of this command contains spaces, while the provided checksum may not.

Verify SHA-256 checksums in Linux

Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides. Checksums can be provided in separate files or as strings.

Checksum file provided

Open a terminal window or shell session and type the following command:

sha256sum -c *.sha256 where is the name of the downloaded file. If the downloaded file is not in the current directory, the file path is also required.

Output similar to the following appears:

: OK The checksum utility automatically compares the computed checksum to the value stored in the checksum file. Observe the output for errors.

Checksum file not provided

Open a terminal window or shell session and type the following command:

sha256sum where is the name of the downloaded file. If the downloaded file is not in the current directory, the file path is also required.

Output similar to the following appears:

43c403cb8a86fd3a3c75dc73c83cc81bae507ecf92195ee5fd1196eedc6e3076 Manually compare the computed checksum to the checksum that Dell provides.

Verify SHA-256 checksums in AIX

Before you use a downloaded file, you can verify the file against the SHA-256 cryptographic checksums that Dell provides.

Open a terminal window or shell session and type the following command:

openssl dgst -sha256 where is the name of the downloaded file. If the downloaded file is not in the current directory, the file path is also required.

Output similar to the following appears:

SHA256( )= 91ce20bc1a3db3001463125df6f136ff692356d122e09a4cb1044bce2d1063e9 Manually compare the computed checksum to the checksum that Dell provides.

82 Authenticity and Integrity

Miscellaneous Configuration and Management Elements

Topics:

Licensing Installing client software Application and application data backups

Licensing The PowerProtect Data Manager Licensing Guide provides more information about the product licensing options and capabilities.

Installing client software The client-side requirements for protection differ for each asset type and operating environment. The PowerProtect Data Manager application agent and asset user guides provide specific information about data protection security requirements, such as any necessary accounts, credentials, and system or resource permissions.

Port usage provides information about communication between assets, agents, and PowerProtect Data Manager components.

Application and application data backups The PowerProtect Data Manager Administration and User Guide contains instructions to configure server disaster recovery (DR) protection and recover from server DR backups. You can configure backup retention and manage existing backups.

By default, PowerProtect Data Manager automatically configures server DR to use the first protection storage system. You can configure the destination by using the instructions in the PowerProtect Data Manager Administration and User Guide.

10

Miscellaneous Configuration and Management Elements 83

REST API Procedures This appendix describes additional methods to complete some procedures, if the recommended methods do not apply.

Log in to the PowerProtect Data Manager REST API provides instructions to obtain an access token, an important prerequisite for the tasks in this appendix.

Topics:

Manual certificate replacement Change a local user password through the REST API Configure compliance verification through the REST API

Manual certificate replacement The recommended methods for replacing the security certificates may not apply to some environments that require additional precautions. The following topics describe additional manual methods to replace the default self-signed security certificates for PowerProtect Data Manager with certificates from an approved authority, if the recommended methods do not apply.

Review the guidance in Virtual networks. Use a secure method to transfer the certificates and keys to the PowerProtect Data Manager server.

Manual certificate replacement topics use the following filename placeholders and naming conventions for the required certificates and keystores:

custom.pemA public certificate chain in PEM format, signed by a Certificate Authority (CA).

customkey.pemThe corresponding private key in PKCS#1 (RSA) PEM format.

Optionally:

custom.keystoreA Java keystore with the private key and public certificate, signed by a CA.

globalca.pemThe root certificate for the CA that signed the public certificate.

Complete Prepare a public certificate and private key from a keystore as necessary to prepare the required files in the proper formats. Then use the REST API to replace the security certificates by completing Manually install a custom security certificate through the REST API.

Prepare a public certificate and private key from a keystore

If you have a Java keystore that contains a private key and public certificate, extract the key and certificate from the keystore.

Steps

1. Connect to the PowerProtect Data Manager console and change to the root user.

2. Securely copy custom.keystore to the /etc/ssl/certificates/custom directory.

3. Change to the /etc/ssl/certificates/custom directory:

cd /etc/ssl/certificates/custom 4. Export the public certificate in PEM format from the keystore:

keytool -list -alias custom -keystore custom.keystore -storepass custompass -rfc > custom.pem

Replace custom with the keystore alias that corresponds to the public certificate and custompass with the keystore password.

5. Export the private key from the keystore in PKCS#12 format:

keytool -importkeystore -srckeystore custom.keystore -srcalias custom -srcstorepass jkspass -destkeystore custom.p12 -deststoretype PKCS12 -storepass pkcspass

A

84 REST API Procedures

Replace custom with the keystore alias that corresponds to the private key. Replace jkspass with the Java keystore password and pkcspass with a password for the PKCS file, respectively.

6. Convert the private key to PEM format:

openssl pkcs12 -in custom.p12 -passin pass:pkcspass -nocerts -nodes -out customkey.rsa openssl rsa -in customkey.rsa -out customkey.pem Replace pkcspass with the password for the PKCS file.

7. Print the contents of the certificate:

openssl x509 -text -in custom.pem 8. Extract the CA root certificate from the output.

Save the CA root certificate as globalca.pem.

Manually install a custom security certificate through the REST API

Alternatively, you can use the REST API to replace the security certificate. You must have the public certificate chain in PEM format and the private key in PKCS#1 (RSA) PEM format.

About this task

The certificate and key examples in this task are simplified for clarity and space.

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice and supply a valid access token with each call after the log-in. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Steps

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator or Security Administrator role.

Record the access token.

2. Replace the security certificate:

POST https://{{server}}:{{port}}/api/v2/certificates-replacement

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "privateKey": "{{private-key}}", "certificateChain": "{{cert-chain}}" "password": "{{password}}" } Replace {{private-key}} with a \n-delimited single-line string that represents the contents of customkey.pem. For example:

-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n--- --END RSA PRIVATE KEY-----\n Replace {{cert-chain}} with a \n-delimited single-line string that represents the contents of custom.pem. For example:

-----BEGIN CERTIFICATE----- \nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n--- --END CERTIFICATE-----\n The password is an optional field, used when you supply an encrypted private key.

REST API Procedures 85

The REST API service returns a status code:

201 Created { "id": "004c443c-3e55-44da-ac1a-59fe65fec13a", "privateKey": "-----BEGIN RSA PRIVATE KEY----- \nMIIEowIBAAKCAQEArG7\n7HmzXgmP+7owxddYeId\nuXzfA7hedyuxRSV7Whb\nQQKvO3fQz3ywb6i56Lq\n--- --END RSA PRIVATE KEY-----\n", "certificateChain": "-----BEGIN CERTIFICATE----- \nMIIDdzCCAl+gAwIBAgI\nUzERMA8GA1UEChMIU2l\nMDkyMjE4MDEzNFoXDTI\nBAoTC1BQRE0gU2VydmV\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nEHD0fXjANBgkqhkiG9w\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAYTAlVTMREwDwY\n--- --END CERTIFICATE-----\n-----BEGIN CERTIFICATE----- \nMIIDSTCCAjGgAwIBAgI\nd3cuc2lnbi5jb20gYz1\nZ24gUm9vdCBDQTAeFw0\nBgNVBAsTEXd3dy5zaWd\n--- --END CERTIFICATE-----\n" }

3. For any existing UI sessions, refresh the page to allow the new certificates to take effect.

Next steps

If you have added any vCenter servers, reinstall the PowerProtect plug-in. Reinstall the PowerProtect plug-in for the vSphere client provides more information.

If the UI continues to present the default self-signed security certificates, Restart the web service provides instructions.

Change a local user password through the REST API If the password for a local identity provider user has expired, and the user has navigated away from the UI password expiry prompt, use the REST API to change the password.

Prerequisites

If you do not know the current password, Reset a forgotten local user password provides more information. External identity provider users cannot reset their password using this procedure. Contact the identity provider administrator to reset your password.

About this task

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Steps

Change the local user password:

POST https://{{server}}:{{port}}/api/v2/account/change-password

Headers: Content-Type: application/json

{ "username": "{{username}}", "password": "{{existing-password}}", "newPassword": "{{new-password}}" } where {{username}} and {{existing-password}} are the expired credentials and {{new-password}} is a new password that conforms to the Common password policy.

The REST API service returns a status code and the username.

86 REST API Procedures

Configure compliance verification through the REST API Some maintenance procedures may require you to temporarily disable compliance verification. Use this task only when referenced elsewhere.

About this task

The PowerProtect Data Manager REST API documentation provides more information, including examples, about how to use the REST API. Use curl or a client of your choice and supply a valid access token with each call after the log-in. Clients may require additional parameters to allow connections to servers that use self-signed certificates.

Steps

1. Log in to the PowerProtect Data Manager REST API as a user with the Administrator role.

Record the access token.

2. Disable compliance verification:

POST https://{{server}}:{{port}}/api/v2/common-settings/COMPLIANCE_SETTING

Headers: Content-Type: application/json Authorization: Bearer {{access-token}}

{ "id": "COMPLIANCE_SETTING", "properties": [ { "name": "scheduleEnable", "value": "false", "type": "BOOLEAN" } ] }

The REST API service returns a status code.

3. Enable compliance verification:

POST https://{{server}}:{{port}}/api/v2/common-settings/COMPLIANCE_SETTING

Headers:

Manualsnet FAQs

If you want to find out how the PowerProtect Dell works, you can view and download the Dell PowerProtect 19.11 Data Manager Security Configuration Guide on the Manualsnet website.

Yes, we have the Security Configuration Guide for Dell PowerProtect as well as other Dell manuals. All you need to do is to use our search bar and find the user manual that you are looking for.

The Security Configuration Guide should include all the details that are needed to use a Dell PowerProtect. Full manuals and user guide PDFs can be downloaded from Manualsnet.com.

The best way to navigate the Dell PowerProtect 19.11 Data Manager Security Configuration Guide is by checking the Table of Contents at the top of the page where available. This allows you to navigate a manual by jumping to the section you are looking for.

This Dell PowerProtect 19.11 Data Manager Security Configuration Guide consists of sections like Table of Contents, to name a few. For easier navigation, use the Table of Contents in the upper left corner.

You can download Dell PowerProtect 19.11 Data Manager Security Configuration Guide free of charge simply by clicking the “download” button in the upper right corner of any manuals page. This feature allows you to download any manual in a couple of seconds and is generally in PDF format. You can also save a manual for later by adding it to your saved documents in the user profile.

To be able to print Dell PowerProtect 19.11 Data Manager Security Configuration Guide, simply download the document to your computer. Once downloaded, open the PDF file and print the Dell PowerProtect 19.11 Data Manager Security Configuration Guide as you would any other document. This can usually be achieved by clicking on “File” and then “Print” from the menu bar.