DOCSLIB.ORG

Dell EMC Networker Security Configuration Guide CONTENTS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Dell EMC Networker Security Configuration Guide CONTENTS Dell EMC NetWorker Version 18.2 Security Configuration Guide 302-005-318 Rev 03 September, 2019 Copyright © 2014-2019 Dell Inc. or its subsidiaries. All rights reserved. Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published in the USA. Dell EMC Hopkinton, Massachusetts 01748-9103 1-508-435-1000 In North America 1-866-464-7381 www.DellEMC.com 2 Dell EMC NetWorker Security Configuration Guide CONTENTS Figures 7 Tables 9 Preface 11 Chapter 1 Introduction 15 Chapter 2 Access Control Settings 17 NetWorker Authentication Service....................................................................18 NetWorker Authentication Service database.....................................................18 Managing authentication ..................................................................................20 Configuring LDAP or AD authentication authorities............................. 20 Querying the LDAP or AD directory from NetWorker Authentication Service.................................................................................................35 Managing the NetWorker Authentication Service local database......... 38 Harden the Authentication Service on port 9090 ................................ 47 Managing the NetWorker Authentication Service options.................................48 Managing token policies.......................................................................48 Managing local database password policies..........................................49 Configure CLI options...........................................................................51 Changing the NetWorker Authentication Service port......................... 52 How user authentication and authorization works in NMC and NetWorker.......52 Modifying authentication methods for NetWorker servers in NMC......54 User authorization............................................................................... 55 Changing the NetWorker Authentication Service hostname and port number.................................................................................................77 How user authentication and authorization works in NWUI...............................78 Enabling HTTPS on an Apache Web Server...................................................... 79 Launching the NMC through an HTTPS port ...................................... 82 Disabling SSLv3 cipher connectivity to the PostgresSQL database on the NMC server................................................................................................................84 Component access control............................................................................... 85 Component authentication...................................................................85 Component authorization.....................................................................98 Generate self signed certificate....................................................................... 101 Enabling two factor authentication for AD and LDAP users.............................102 Chapter 3 Log Settings 103 NetWorker log files..........................................................................................104 NetWorker Server log files................................................................. 104 NMC server log files........................................................................... 107 NetWorker Client log files...................................................................108 View log files....................................................................................... 110 Raw log file management.................................................................... 114 Dell EMC NetWorker Security Configuration Guide 3 Contents Monitoring changes to the NetWorker server resources..................... 117 Configuring logging levels....................................................................118 NetWorker Authentication Service logs...........................................................126 NetWorker Authentication Service log files........................................ 126 NetWorker Authentication Service server log file management.......... 127 CLI log file management..................................................................... 128 Chapter 4 Communication Security Settings 131 Port usage and firewall support....................................................................... 132 Service ports...................................................................................... 132 Connection ports................................................................................ 133 Special considerations for firewall environments............................................. 133 Configuring TCP keepalives at the operating system level..................134 Determining service port requirements............................................................135 NetWorker client service port requirements....................................... 136 Service port requirements for NetWorker storage nodes................... 136 Service port requirements for the NetWorker server..........................137 Service port requirements for NMC Server........................................ 139 Configuring service port ranges in NetWorker.................................................139 Determine the available port numbers.................................................139 Configuring the port ranges in NetWorker .........................................139 Configuring the service ports on the firewall................................................... 142 How to confirm the NMC server service ports....................................147 Determining service port requirement examples ............................................. 147 Troubleshooting...............................................................................................153 Chapter 5 Data Security Settings 157 AES encryption for backup and archive data................................................... 158 Creating or modifying the lockbox resource....................................... 158 Defining the AES pass phrase.............................................................159 Configuring the client resource to use AES encryption.......................160 Configure encryption for a client-initiated backup..............................160 Recover encrypted data...................................................................... 161 Federal Information Processing Standard compliance..................................... 162 Data integrity...................................................................................................163 Verifying the integrity of the backup data...........................................163 Verifying the integrity of the NetWorker server media data and client file indexes..........................................................................................165 Data erasure.................................................................................................... 166 NetWorker server media database and index data management.........166 Manually erasing data on tape and VTL volumes................................. 167 Manually erasing data from an AFTD.................................................. 167 Security alert system settings......................................................................... 168 Monitoring changes to NetWorker server resources...........................168 Security audit logging......................................................................... 168 Chapter 6 Hardening the NetWorker 181 Security Hardening For The NetWorker Management Console........................182 Enabling the Modules Required To Harden Apache httpd................... 182 Enable Apache httpd directives ......................................................... 182 Enabling HTTPS................................................................................. 183 Configuring gconsole file to Enable HTTPS ....................................... 185 Replacing Default Tomcat Web Pages................................................185 Security Hardening For The NetWorker Authentication Tomcat Service.........186 4 Dell EMC NetWorker Security Configuration Guide Contents Hardening the NSR Tomcat Services................................................. 186 Harden the Authentication Service on port 9090 ............................................187 Dell EMC NetWorker Security Configuration Guide 5 Contents 6 Dell EMC NetWorker Security Configuration Guide FIGURES 1 NetWorker Authentication Service Database hierarchy.................................................... 20 2 External Authority pane in the NMC Console.....................................................................21 3 Create External Authentication Authority......................................................................... 22 4 User
Load more

Recommended publications
  • Pcoip® Host Software for Linux User Guide
    PCoIP® Host Software for Linux User Guide TER1104006 Issue 7 PCoIP® Host Software for Linux User Guide Teradici Corporation #101-4621 Canada Way, Burnaby, BC V5G 4X8 Canada phone +1.604.451.5800 fax +1.604.451.5818 www.teradici.com The information contained in this documentation represents the current view of Teradici Corporation as of the date of publication. Because Teradici must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Teradici, and Teradici cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. TERADICI MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Teradici Corporation. Teradici may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Teradici, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Visit Notice of Intellectual Property Rights for more information. © 2000-2015 Teradici Corporation. All rights reserved. Teradici, PC-over-IP, and PCoIP are trademarks of Teradici Corporation and may be registered in the United States and/or other countries.
    [Show full text]
  • AEDIT Text Editor Iii Notational Conventions This Manual Uses the Following Conventions: • Computer Input and Output Appear in This Font
    Quick Contents Chapter 1. Introduction and Tutorial Chapter 2. The Editor Basics Chapter 3. Editing Commands Chapter 4. AEDIT Invocation Chapter 5. Macro Commands Chapter 6. AEDIT Variables Chapter 7. Calc Command Chapter 8. Advanced AEDIT Usage Chapter 9. Configuration Commands Appendix A. AEDIT Command Summary Appendix B. AEDIT Error Messages Appendix C. Summary of AEDIT Variables Appendix D. Configuring AEDIT for Other Terminals Appendix E. ASCII Codes Index AEDIT Text Editor iii Notational Conventions This manual uses the following conventions: • Computer input and output appear in this font. • Command names appear in this font. ✏ Note Notes indicate important information. iv Contents 1 Introduction and Tutorial AEDIT Tutorial ............................................................................................... 2 Activating the Editor ................................................................................ 2 Entering, Changing, and Deleting Text .................................................... 3 Copying Text............................................................................................ 5 Using the Other Command....................................................................... 5 Exiting the Editor ..................................................................................... 6 2 The Editor Basics Keyboard ......................................................................................................... 8 AEDIT Display Format ..................................................................................
    [Show full text]
  • IBM Explorer for Z/OS: Host Configuration Reference Guide RSE Daemon and Thread Pool Logging
    IBM Explorer for z/OS IBM Host Configuration Reference Guide SC27-8438-02 IBM Explorer for z/OS IBM Host Configuration Reference Guide SC27-8438-02 Note Before using this information, be sure to read the general information under “Notices” on page 175. Third edition (September, 2017) This edition applies to IBM Explorer for z/OS Version 3.1.1 (program number 5655-EX1) and to all subsequent releases and modifications until otherwise indicated in new editions. © Copyright IBM Corporation 2017. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Figures .............. vii Certificate Authority (CA) validation ..... 24 (Optional) Query a Certificate Revocation List Tables ............... ix (CRL) ............... 25 Authentication by your security software ... 25 Authentication by RSE daemon....... 26 About this document ......... xi Port Of Entry (POE) checking ........ 27 Who should use this document ........ xi Altering client functions .......... 27 Description of the document content ...... xi OFF.REMOTECOPY.MVS ......... 28 Understanding z/OS Explorer ....... xii Push-to-client developer groups ....... 28 Security considerations ......... xii Send message security........... 30 TCP/IP considerations ......... xii Log file security ............. 31 WLM considerations .......... xii UNIXPRIV class permits.......... 32 Tuning considerations .......... xii BPX.SUPERUSER profile permit ....... 33 Performance considerations ........ xii UID 0 ............... 33 Push-to-client considerations ....... xii Miscellaneous information ......... 33 User exit considerations ......... xii GATE trashing ............ 33 Customizing the TSO environment ..... xiii Managed ACEE ............ 33 Troubleshooting configuration problems ... xiii ACEE caching ............ 34 Setting up encrypted communication and X.509 TCP/IP port reservation ......... 34 authentication ............ xiii z/OS Explorer configuration files ....... 34 Setting up TCP/IP........... xiii JES Job Monitor - FEJJCNFG.......
    [Show full text]
  • Text Editing in UNIX: an Introduction to Vi and Editing
    Text Editing in UNIX A short introduction to vi, pico, and gedit Copyright 20062009 Stewart Weiss About UNIX editors There are two types of text editors in UNIX: those that run in terminal windows, called text mode editors, and those that are graphical, with menus and mouse pointers. The latter require a windowing system, usually X Windows, to run. If you are remotely logged into UNIX, say through SSH, then you should use a text mode editor. It is possible to use a graphical editor, but it will be much slower to use. I will explain more about that later. 2 CSci 132 Practical UNIX with Perl Text mode editors The three text mode editors of choice in UNIX are vi, emacs, and pico (really nano, to be explained later.) vi is the original editor; it is very fast, easy to use, and available on virtually every UNIX system. The vi commands are the same as those of the sed filter as well as several other common UNIX tools. emacs is a very powerful editor, but it takes more effort to learn how to use it. pico is the easiest editor to learn, and the least powerful. pico was part of the Pine email client; nano is a clone of pico. 3 CSci 132 Practical UNIX with Perl What these slides contain These slides concentrate on vi because it is very fast and always available. Although the set of commands is very cryptic, by learning a small subset of the commands, you can edit text very quickly. What follows is an outline of the basic concepts that define vi.
    [Show full text]
  • 1. Run Nslookup to Obtain the IP Address of a Web Server in Europe
    1. Run nslookup to obtain the IP address of a Web server in Europe. frigate:Desktop drb$ nslookup home.web.cern.ch Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: home.web.cern.ch canonical name = drupalprod.cern.ch. Name: drupalprod.cern.ch Address: 137.138.76.28 Note that the #53 denotes the DNS service is running on port 53. 2. Run nslookup to determine the authoritative DNS servers for a university in Asia. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: tsinghua.edu.cn nameserver = dns2.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns2.edu.cn. tsinghua.edu.cn nameserver = ns2.cuhk.edu.hk. Authoritative answers can be found from: dns2.tsinghua.edu.cn internet address = 166.111.8.31 ns2.cuhk.edu.hk internet address = 137.189.6.21 ns2.cuhk.edu.hk has AAAA address 2405:3000:3:6::15 dns2.edu.cn internet address = 202.112.0.13 dns.tsinghua.edu.cn internet address = 166.111.8.30 Note that there can be multiple authoritative servers. The response we got back was from a cached record. To confirm the authoritative DNS servers, we perform the same DNS query of one of the servers that can provide authoritative answers. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn dns.tsinghua.edu.cn Server: dns.tsinghua.edu.cn Address: 166.111.8.30#53 tsinghua.edu.cn nameserver = dns2.edu.cn.
    [Show full text]
  • PPP Over Ethernet Client
    PPP over Ethernet Client The PPP over Ethernet Client feature provides PPP over Ethernet (PPPoE) client support on routers. PPPoE is a commonly used application in the deployment of digital subscriber lines (DSLs). The PPP over Ethernet Client feature expands PPPoE functionality by providing support for PPPoE on the client and the server. • Finding Feature Information, page 1 • Prerequisites for PPP over Ethernet Client, page 1 • Restrictions for PPP over Ethernet Client, page 2 • Information About PPP over Ethernet Client, page 2 • How to Configure PPP over Ethernet Client, page 5 • Configuration Examples for the PPP over Ethernet Client, page 13 • Additional References, page 19 • Feature Information for PPP over Ethernet Client, page 20 Finding Feature Information Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table. Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required. Prerequisites for PPP over Ethernet Client PPP connections must be established between two endpoints over a serial link. Broadband Access Aggregation and DSL Configuration Guide, Cisco IOS XE
    [Show full text]
  • Avocent® ACS800/8000 Advanced Console System Command Reference Guide TABLE of CONTENTS
    Avocent® ACS800/8000 Advanced Console System Command Reference Guide The information contained in this document is subject to change without notice and may not be suitable for all applications. While every precaution has been taken to ensure the accuracy and completeness of this document, Vertiv assumes no responsibility and disclaims all liability for damages resulting from use of this information or for any errors or omissions. Refer to other local practices or building codes as applicable for the correct methods, tools, and materials to be used in performing procedures not specifically described in this document. The products covered by this instruction manual are manufactured and/or sold by Vertiv. This document is the property of Vertiv and contains confidential and proprietary information owned by Vertiv. Any copying, use or disclosure of it without the written permission of Vertiv is strictly prohibited. Names of companies and products are trademarks or registered trademarks of the respective companies. Any questions regarding usage of trademark names should be directed to the original manufacturer. Technical Support Site If you encounter any installation or operational issues with your product, check the pertinent section of this manual to see if the issue can be resolved by following outlined procedures. Visit https://www.VertivCo.com/en-us/support/ for additional assistance. Vertiv™ | Avocent® ACS800/8000 Advanced Console System Command Reference Guide TABLE OF CONTENTS 1 Introduction, Navigation and Commands 1 1.1 AccessOptionsand
    [Show full text]
  • Unix Commands
    Remote Access n Telnet/SSH/rlogin n Telnet software on PC’s usually has a ‘Connect’ option Introduction to Unix in the menu n Telnet software on Unix systems may run from the command line n telnet hostname n You will need to provide your username and password n SSH – secure shell, may be required for some systems n X terminal emulation n Allows graphical windows to be displayed on the local machine (moe –X11 can be used to run moe this way) Exercise 1 File Transfer n Network File System (NFS) n Find telnet software on the PC you are n Our SGI’s are interconnected by NFS – files can be directly copied between mounted drives sitting at and login to one a unix system n Several PC’s in my lab run NFS Maestro Solo, which allows the SGI drives to be associated with a free drive letter on the PC – files can be directly (ours if you have accounts, UT systems copied if they allow remote access) n File Transfer Protocol (FTP) n On PC’s, FTP software is usually menu-driven. You connect to a remote host and can copy files in either direction n Our systems should all require SSH n On Unix systems, FTP software is generally run from the command line n ftp hostname access – you may need to download n get file from remote host to local host n mget files* software – I use PuTTY (easily found by n put file from local host to remote host n mput files* most internet search engines) n In either case you will provide your username and password n Computers that require secure logins may also require secure ftp (sftp) – available with PuTTY Unix Commands Unix
    [Show full text]
  • Syntactic Type Abstraction
    Syntactic Type Abstraction DAN GROSSMAN, GREG MORRISETT, and STEVE ZDANCEWIC Cornell University Software developers often structure programs in such a way that different pieces of code constitute distinct principals. Types help define the protocol by which these principals interact. In particular, abstract types allow a principal to make strong assumptions about how well-typed clients use the facilities that it provides. We show how the notions of principals and type abstraction can be formalized within a language. Different principals can know the implementation of different abstract types. We use additional syntax to track the flow of values with abstract types during the evaluation of a program and demonstrate how this framework supports syntactic proofs (in the style of subject reduction) for type-abstraction properties. Such properties have traditionally required semantic arguments; using syntax avoids the need to build a model for the language. We present various typed lambda calculi with principals, including versions that have mutable state and recursive types. Categories and Subject Descriptors: D.2.11 [Software Engineering]: Software Architectures— Information Hiding; Languages; D.3.1 [Programming Languages]: Formal Definitions and Theory—Syntax; Semantics; D.3.3 [Programming Languages]: Language Constructs and Fea- tures—Abstract data types; F.3.2 [Logics and Meanings of Programs]: Semantics of Program- ming Languages—Operational Semantics; F.3.3 [Logics and Meanings of Programs]: Studies of Program Constructs—Type Structure General Terms: Languages, Security, Theory, Verification Additional Key Words and Phrases: Operational semantics, parametricity, proof techniques, syn- tactic proofs, type abstraction 1. INTRODUCTION Programmers often use a notion of principal when designing the structure of a program.
    [Show full text]
  • Event Log Explorer Tools
    Event Log Explorer Tools Event Log Explorer command-line utilities Event Log Backup utility (elbackx.exe) Event Log Backup utility lets you quickly save event logs from different locations in one place. You can find elback.exe in Event Log Explorer application folder. ELBACKX BatchFile runs BatchFile to backup logs. ELBACKX DestDir EventLogs [/clear] backups EventLogs to DestDir with optional clear option. BatchFile format: ; - comment line DestDir EventLogs [/clear] DestDir - specifies a destination folder (or /NOBACKUP option). If the destination folder name contains spaces, it must be enclosed in quotes. EventLogs - specifies a particular event log or group of event logs which you want to backup to DestDir. Event logs must be separated by spaces. If event log name contains spaced, it must be enclosed in quotes. Remote event logs are specified as \\ComputerName\LogName. You can use wildcard characters (*) to specify all event logs (\\ComputerName\*). /clear - optionally clears EventLogs after backup. Sample BatchFile with comments: ===================== ;backup to C:\Backup Application and system from Server, then clear C:\Backup\ Server\Application Server\System /Clear ;Backup all logs from Server2 to C:\My Backup, without clearing. "C:\My Backup\" Server2\* ;Clear all logs from 192.168.1.11 /Nobackup \\192.168.1.11\* /clear ===================== You can automate BatchFile creation from Event Log Explorer tree. More information is available in Export to backup batch. Examples: run batchfile.elb batch to backup logs: ELBACKX batchfile.elb backup Security log from Serv01 to C:\Backup: ELBACKX C:\Backup Security Serv01\Security backup all logs from Serv01, Serv02 and Serv03 to C:\My Backup, then clear them: ELBACKX "C:\My Backup" \\Serv01\* \\Serv02\* \\Serv03\* /Clear backup Directory Service from Serv01 to C:\My Backup: ELBACKX "C:\My Backup" "\\Serv01\Directory Service" 2 Event Log Database Export utility (eldbx.exe) This utility is available only in the Enterprise Edition.
    [Show full text]
  • UCOP Guidance Against Zoom-Bombing What Is Zoom-Bombing? Zoom-Bombing Is the Term for When Individuals "Gate-Crash" Zoom Meetings
    UCOP Guidance Against Zoom-Bombing What is Zoom-bombing? Zoom-bombing is the term for when individuals "gate-crash" Zoom meetings. These uninvited guests may remain silent and if undetected listen to and view your meeting content. Zoom-bombers can also be disruptive or share their screens to bombard Zoom meeting participants with disturbing and inappropriate imagery. Here are some ways to protect you and your Zoom meeting participants from falling victim. Our top 3 recommendations to update in your Zoom settings immediately: 1. Avoid “Join Before Host”. The Zoom Meeting ‘Join Before Host’ option allows meeting participants, unwanted or not, to join your meeting before you, as host start the meeting. It is always best for you to join as the host before allowing others to join so that you can see who is joining. If you must use the ‘Join Before Host’ option be sure, at a minimum, to also password protect the meeting. 2. Protect your Screen Sharing: To prevent others in your Zoom meeting from taking control of the screen and sharing unwanted content with the group, restrict access to sharing— before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen-share. To prevent participants from screen sharing during a call, using the host controls at the bottom, click the arrow next to ‘Share Screen’ and then ‘Advanced Sharing Options.’ Under ‘Who can share?’ choose ‘Only Host’ and close the window. You can also lock the screen share by default for all your meetings in your web settings.
    [Show full text]
  • Qualys Cloud Agent for Unix
    Cloud Agent for Unix Installation Guide Agent Version 1.6 - 1.7, 2.3, 2.5 August 27, 2021 Verity Confidential Copyright 2016-2021 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. Qualys, Inc. 919 E Hillsdale Blvd 4th Floor Foster City, CA 94404 1 (650) 801 6100 Table of Contents Preface................................................................................................................. 5 About Qualys ........................................................................................................................... 5 Contact Qualys Support .......................................................................................................... 5 Get Started .........................................................................................................6 Qualys Cloud Agent Introduction .......................................................................................... 6 Cloud Agent Platform Availability for Unix .......................................................................... 6 A few things to consider... ...................................................................................................... 6 Cloud Agent requirements ............................................................................................... 6 What are the installation steps? ..................................................................................... 7 Run as user and user’s
    [Show full text]