Dell EMC OpenManage Enterprise 3.6 Security Configuration Guide September 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2017 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Figures..........................................................................................................................................4 Tables........................................................................................................................................... 5 Chapter 1: PREFACE..................................................................................................................... 6 Chapter 2: Security quick reference...................................
Figures 4 1 OME security control map....................................................................................................................................... 9 2 Security settings.......................................................................................................................................................10 3 Application settings........................................................................................................................................
Tables 1 OpenManage Enterprise Supported protocols and ports on management stations................................ 17 2 OpenManage Enterprise supported protocols and ports on the managed nodes....................................
1 PREFACE As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
3. Verify your country or region in the Choose a Country/Region drop-down list at the bottom of the page. 4. Select the appropriate service or support link based on your need. Reporting security vulnerabilities Dell EMC takes reports of potential security vulnerabilities in our products very seriously. If you discover a security vulnerability, you are encouraged to report it to Dell EMC immediately.
2 Security quick reference Topics: • • Deployment models Security profiles Deployment models Dell EMC OpenManage Enterprise is designed to be deployed as a virtual appliance for a variety of supported hypervisors (VMware, Hyper-V, and KVM). In general, it can be used in environments that support loading the VMDK or VHD formats. For more information about deploying OME, see the deployment whitepaper at Deploy Dell EMC OpenManage Enterprise Virtual Appliance on Different Hypervisors.
3 Product and subsystem security Topics: • • • • • • • Security controls map Authentication Login security settings Authentication types and setup considerations Authorization Data security Cryptography Security controls map OpenManage Enterprise is a systems management and monitoring application that provides a comprehensive view of the Dell EMC servers, chassis, storage, and network switches on the enterprise network.
Login security settings Dell EMC OpenManage Enterprise supports only secure connections to appliance over TLS v1.2 channel. OME redirects all HTTP requests to HTTPS and ensures that credentials are communicated through a secure channel. OME security configuration settings are accessible in the Web UI using the OpenManage Enterprise > Application Settings > Security page.
Figure 3. Application settings Figure 4. Configuration settings for timeouts/max concurrent sessions Inactive sessions are deleted when the admin configured inactivity timeout expires, and the user is logged out of the console. Authentication types and setup considerations OpenManage Enterprise supports local user authentication and authentication via AD/LDAP or OpenID Connect providers. OpenManage Enterprise supports basic and session based (X-Auth) authentication types for Local users.
Configuring active directory User can configure active directory by navigating to Application Setting > Directory Service. Figure 6. Configuring active directory OIDC authentication User can configure OpenID Connect providers by navigating to Application Setting > OIDC.
Figure 7. OIDC authentication User and credential management Administrator can create and manage users accounts from the Users page by navigating to Application Settings > Users in OpenManage Enterprise. Administrator can perform following tasks in this wizard: ● View add, enable, edit, disable, or delete the OpenManage Enterprise users (local users imported from AD and OIDC accounts). ● Assign OpenManage Enterprise roles to Active Directory users by importing the directory groups.
● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● : ; ? @ [ \ ] ^ _ ` { | } ~ + < = > Pre-loaded accounts OpenManage Enterprise has admin as the default user. On first boot, after the EULA has been accepted, the password for the default admin account has to configured. Default credentials No default credentials are configured on Open Manage Enterprise. Admin need to configure the credentials on the TUI.
Changing admin password from Text User Interface Figure 9. Admin password change from TUI Securing credentials User credentials are one-way hashed using the OpenBSD bcrypt scheme and stored in the database. Password complexity The recommended characters for passwords are as follows: ● 0-9 ● A-Z ● a-z ● ' ● ● ! ● " ● # ● $ ● % ● & ● () ● * ● , ● . ● / ● : ● ; ● ? ● @ ● [ ● \ ● ] ● ^ ● _ ● ` ● { ● | ● } ● ~ ● + Product and subsystem security 15
● < ● = ● > Authentication to external systems OpenManage Enterprise saves device credentials encrypted with AES encryption with a 128-bit key size using encryption key generated on Open Manage Enterprise. Device credentials are used to communicate with devices by using multiple supported protocols such as Redfish, WSMan, SSH, IPMI, and SNMP protocols.
Network security Supported protocols and ports on management stations Table 1. OpenManage Enterprise Supported protocols and ports on management stations Port Number Protocol Port Type Maximum Encryption Level Source Direction Destination Usage 22 SSH TCP 256-bit Management station In OpenManage Enterprise appliance ● Required for incoming only if FSD is used. OpenManage Enterprise administrator must enable only if interacting with the Dell EMC support staff.
Table 1. OpenManage Enterprise Supported protocols and ports on management stations (continued) Port Number Protocol Port Type Maximum Encryption Level Source Direction Destination Usage 111, 2049 (default) NFS UDP/TCP None OpenManage Enterprise appliance Out External NFS share ● To download catalog and DUPs from the NFS share for firmware updates. ● For manual console upgrade from network share.
Table 2. OpenManage Enterprise supported protocols and ports on the managed nodes (continued) Port Number Protocol 161 SNMP 162* SNMP 443 Port Type Maximum Encryption Level Source Directio n Destinatio n Usage UDP None OpenManage Enterprise appliance Out Managed node ● For SNMP queries. UDP None OpenManage Enterprise appliance In/ Out Managed node ● Send and receive SNMP traps.
Data security OME stores all sensitive data encrypted with the OME generated encryption key. All user credentials are stored with a one-way hash and cannot be decrypted. All Device credentials are encrypted with AES 128 bit key encryption. All other data on the appliance is protected by privileges and provides access based on the privileges. Also, OME pre-configured SeLinux policies ensure data protection and access to the OME workflows.
● A group is assigned, or access permission is changed. ● User role is modified. ● Actions that were performed on the devices monitored by OpenManage Enterprise. The audit log files can be exported to the CSV file format. Figure 11. Audit log Logs User can access all OME services logs and audit logs from the UI. Navigate to Monitor > Audit logs > Export Console logs/Audit logs. Support can use these logs for analyzing the customer issues. By default, these logs are at INFO (or above) level. Figure 12.
SSL certificate cannot be trusted SSL certificate chain ends in an unrecognized self-signed certificate Security scans on OME may show the SSL certificate issues with the default certificate on OME. As a best practice, customers can choose to upload the CA trusted certificate to the production environment. SSL certificate - Computer Name (CN) does not match FQDN SSL certificate - Invalid Maximum validity date detected The remote host answers to an ICMP timestamp request.
4 Contacting Dell Prerequisites NOTE: If you do not have an active Internet connection, you can find contact information on your purchase invoice, packing slip, bill, or Dell product catalog. About this task Dell provides several online and telephone-based support and service options. Availability varies by country and product, and some services may not be available in your area. To contact Dell for sales, technical support, or customer service issues: Steps 1. Go to Dell.com/support. 2.
