HP StorageWorks P9000 Command View Advanced Edition Software Common Component Security Guide

ManualsBrandsHP ManualsSoftwareHP Command View XP AE Media Kit

HP StorageWorks

P9000 Command View Advanced Edition

Software Common Component Security

Guide

Abstract

This guide describes how to create, operate, and use a system in a configuration evaluated based on

Common Criteria (ISO/IEC 15408) for HP StorageWorks P9000 Command View Advanced Edition Software

Common Component. This guide is intended for those who want to set up and operate a storage

management server on which Common Component is installed in a configuration evaluated based on

Common Criteria.

Readers are expected to have knowledge of the Setup and operation of the required operating systems, Web

applications and the HP StorageWorks P9000 Command View Advanced Edition storage management

software.

Part number: TB581-96059

First edition: September 2011

Summary of content (60 pages)

PAGE 1
HP StorageWorks P9000 Command View Advanced Edition Software Common Component Security Guide Abstract This guide describes how to create, operate, and use a system in a configuration evaluated based on Common Criteria (ISO/IEC 15408) for HP StorageWorks P9000 Command View Advanced Edition Software Common Component. This guide is intended for those who want to set up and operate a storage management server on which Common Component is installed in a configuration evaluated based on Common Criteria.
PAGE 2
Legal and notice information © Copyright 2011 Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice.
PAGE 3
Reference manual This guide refers the following manuals.
PAGE 4
Contents Contents 1 Overview of security setup and operation 1-1 How to use this guide..................................................................................................................................... 6 1-1-1 Intended readers ................................................................................................................................... 6 1-1-2 Reading sequence.............................................................................................................
PAGE 5
Contents 6-3-1 Adding a user ...................................................................................................................................... 36 6-3-2 Setting up user permissions ................................................................................................................ 36 6-3-3 Changing a user password..................................................................................................................
PAGE 6
Overview of security setup and operation 1 Overview of security setup and operation Security functions evaluated based on Common Criteria for HP StorageWorks P9000 Command View Advanced Edition Software Common Component refer to functions that provide the user authentication and access control necessary for creating and operating a system that uses HP StorageWorks P9000 Command View Advanced Edition Suite software in a configuration evaluated based on Common Criteria.
PAGE 7
Overview of security setup and operation Read chapters 1, 5, 6, and 7 when you are ready to start operating the system. This guide describes the operations you must perform to use Common Component in a configuration evaluated based on Common Criteria. When reference manuals are also indicated, you should refer to them. 1-2 Overview of the system to be created or operated The creation and operation of a secure system requires security measures against threats.
PAGE 8
Overview of security setup and operation 1-2-1-2 Common Component (CVAECC) This software provides the base module that implements the common functionality for HP StorageWorks P9000 Command View Advanced Edition Suite software. 1-2-2 Overview of security functions of Common Component This section provides an overview of the three security functions that have been evaluated based on Common Criteria for Common Component.
PAGE 9
Overview of security setup and operation Table 1-1 Items required for the security policy No.
PAGE 10
Overview of security setup and operation When operating the system, the account administrator and the storage administrator must perform the procedures described in this guide. 1-3-2 Hardware management The hardware required for the system to be created or operated is managed in a center. A center is a physical area equivalent to, for example, the computer center of a company.
PAGE 11
Overview of security setup and operation • Networks connecting management servers to storage management client terminals must be able to preserve the confidentiality and integrity of the data. To protect the network, employ appropriate measures such as using SSL for communication between a management server and a storage management client terminal, or installing a storage management client terminal inside the center.
PAGE 12
Overview of security setup and operation 1-3-6 Warning policy management When a user starts using a system that incorporates the Common Component security functions, a warning message about unauthorized use appears. The text of the message must be defined beforehand. 1-4 Creation and operation procedure The following figure shows the procedure for examining the system configuration and operating the created system.
PAGE 13
Examining the system configuration 2 Examining the system configuration This chapter describes the issues that you must examine before creating a system in the configuration evaluated based on Common Criteria for Common Component. • • Hardware configuration (see section 2-1 ) Software configuration (see section 2-2 ) 2-1 Hardware configuration The system described in this guide has the following hardware configuration.
PAGE 14
Examining the system configuration • The storage administrator and account administrator use a management client terminal on an external network to access the management server and send operation requests to the storage management software. The machine models that can be used for a management server vary depending on the prerequisite operating system. The following lists the prerequisite operating systems and the applicable machine models for each.
PAGE 15
Examining the system configuration 2-2 Software configuration The following figure shows the software configuration of the management server to be set up. Figure 2-2 Software configuration This section describes the software that is to be installed. On the management server, install one of the prerequisite operating systems listed in the table. The prerequisite operating systems vary depending on the storage management software.
PAGE 16
Examining the system configuration No The management software can NOT be used on this operating system.
PAGE 17
Examining the system configuration Table 2-3 Detailed conditions for client terminals Management software being used Tiered Storage Manager Tuning Manager See: 7.4 Supplement 7.4.
PAGE 18
Preparations before system creation 3 Preparations before system creation This chapter describes the preparations required for creating a system in the configuration evaluated based on Common Criteria for Common Component.
PAGE 19
Preparations before system creation Table 3-1 Firewall settings Management software being used Tuning Manager See: HP StorageWorks P9000 Tuning Manager Software Server Administration Guide 1 Overview Ports used by a Tuning Manager server When setting up the firewall ports, allow communication only from storage management client terminals and block communication through any other ports.
PAGE 20
Creating a system 4 Creating a system When the preparations required for system operation are complete, create the system. This chapter describes how to create a system in the configuration evaluated based on Common Criteria for Common Component.
PAGE 21
Creating a system 4-2-1 In Windows This section describes the installation procedure in Windows. For the actual procedure, see the applicable reference in the following table.
PAGE 22
Creating a system Table 4-2 Settings in Linux Management software being used Replication Manager Tiered Storage Manager See: Determining management server readiness (Linux) Setting kernel parameters and shell restrictions (Linux) Recommended Red Hat Enterprise Linux /etc/sysctl.conf values Recommended Red Hat Enterprise Linux /etc/security/limits.conf values Recommended SUSE Linux Enterprise Server /etc/sysctl.conf values Recommended SUSE Linux Enterprise Server /etc/security/limits.
PAGE 23
Creating a system Table 4-3 Installing Common Component in Linux Management software being used Command View Advanced Edition Replication Manager Tiered Storage Manager See: HP StorageWorks P9000 Command View Advanced Edition Suite Software Installation and Configuration Guide 2 P9000 Command View AE Software server installation P9000 Command View AE Software server installation Installing P9000 Command View AE Software in a Linux environment HP StorageWorks P9000 Command View Advanced Edition Suite Soft
PAGE 24
Creating a system specify the required settings after installation. For the procedure, see the applicable reference in the following table.
PAGE 25
Creating a system (2) Change the line starting with USER.AccessControl= as shown below: USER.AccessControl=true If this line does not exist, create it. When this parameter is specified as true, the system integrator can install only the specified HP StorageWorks P9000 Command View Advanced Edition Suite software described in section 1-3-3 .When using HP StorageWorks P9000 Command View Advanced Edition Suite software that is not described in section 1-3-3 , the parameter must not be specified as true.
PAGE 26
Creating a system The system integrator must use the authentication information for the system integrator to log in to the installed HP StorageWorks P9000 Command View Advanced Edition Suite software. For the login and license registration procedures, see the applicable references in the following two tables.
PAGE 27
Creating a system Table 4-8 Registering a license Management software being used See: 2 Working with licenses 4-5 Setting up the Common Component management functions Set up the security parameters and the warning banner text determined as described in section 3-4 based on section 1-3 .
PAGE 28
Creating a system Table 4-9 Procedure for setting up security parameters and warning banner text Management software being used See: Setting a warning banner message Tuning Manager HP StorageWorks P9000 Command View Advanced Edition Suite Software Administrator Guide 3 Settings required for managing user accounts Setting password conditions for user accounts Settings for locking user accounts 4 Security settings Warning banner settings HP StorageWorks P9000 Tuning Manager Software Server Administration G
PAGE 29
Creating a system Table 4-10 Description of the procedure for adding users Management software being used Tiered Storage Manager Tuning Manager See: Guide Chapter 6 Setting up authorities Adding users and assigning permissions HP StorageWorks P9000 Command View Advanced Edition Suite Software User Guide 6 Setting up P9000 Command View AE Software Managing users Creating a user account HP StorageWorks P9000 Command View Advanced Edition Suite Software Installation and Configuration Guide 2 P9000 Command V
PAGE 30
Creating a system Table 4-11 Description of the procedure for setting permissions Management software being used See: Managing users Creating a user account Tuning Manager HP StorageWorks P9000 Command View Advanced Edition Suite Software Installation and Configuration Guide 2 HP StorageWorks P9000 Command View Advanced Edition Software server installation Post-installation tasks (new installation) Creating user accounts HP StorageWorks P9000 Tuning Manager Software Server Administration Guide 4 Managing
PAGE 31
Creating a system Table 4-12 Software necessary to link to an external authentication server Management software being used Command View Advanced Edition Replication Manager See: HP StorageWorks P9000 Command View Advanced Edition Suite Software User Guide 6 Setting up P9000 Command View AE Software Managing users Prerequisites for changing the user authentication method Changing the user authentication method HP StorageWorks P9000 Command View Advanced Edition Suite Software Administrator Guide 3.
PAGE 32
Creating a system • Select an external authentication server that can specify security parameters for passwords, as described in subsection 1-3-5 , in order to ensure that the reliability of passwords is equivalent to those that are used by internal authentication. • Select an external authentication server that can use the account locking function. The account locking function is also used by internal authentication and ensures that the system is protected against brute force attacks.
PAGE 33
Preparations before system operation 5 Preparations before system operation This chapter describes the preparations required for operating a system in the configuration evaluated based on Common Criteria for Common Component.
PAGE 34
Preparations before system operation Consider changes to the Common Component security parameters determined by the system integrator as described in section 3-4 and set up as described in section 4-5 . If changes are necessary, then change the settings. 5-3 Notifying users The account administrator must provide the storage administrators with the information necessary for system operation in a secure and safe way. The following information is necessary information.
PAGE 35
Operating the system 6 Operating the system When the preparations required for system operation are complete, operation of the system can start. Of the tasks required for system operation, this chapter describes those related to the security functions evaluated based on Common Criteria for Common Component, since these functions are necessary for maintaining the security of the environment in which HP StorageWorks P9000 Command View Advanced Edition Suite software is used.
PAGE 36
Operating the system • • • • A user is added or deleted. Permission information for a user is set up. A user's password is changed. The status of user authentication information changes. 6-3-1 Adding a user Add the authentication information for the added user. For the procedure for adding a user, see subsection 4-6-1 . 6-3-2 Setting up user permissions Set up the permission information assigned to a user. For the procedure for setting up the user permission information, see subsection 4-6-2 .
PAGE 37
Operating the system Table 6-2 Description of the procedure for changing the status Management software being used Command View Advanced Edition Replication Manager Tiered Storage Manager Tuning Manager See: HP StorageWorks P9000 Command View Advanced Edition Suite Software User Guide 6 Setting up P9000 Command View AE Software Managing users Changing the lock status of user accounts HP StorageWorks P9000 Command View Advanced Edition Suite Software Administrator Guide 13.
PAGE 38
Operating the system 6-4 Changing the user's own password Account administrators and storage administrators can change the password in their own authentication information. For the procedure for changing the password, see the applicable reference in the following table.
PAGE 39
Security function operations 7 Security function operations This chapter describes the operations of Common Component's security functions as evaluated based on Common Criteria. These operations are related to secure setup and operation of HP StorageWorks P9000 Command View Advanced Edition Suite software, and must be performed in accordance with the system operation policy of the organization.
PAGE 40
Security function operations 1. On the Explorer menu, choose Administration, and then Users and Permissions The Users and Permissions subwindow opens. 2. In the object tree, choose Users. The registered users are listed in the Users subwindow. 7-1-2-1 Users subwindow The Users subwindow displays the users that have been registered in HP StorageWorks P9000 Command View Advanced Edition Suite software.
PAGE 41
Security function operations 7-1-3 Changing the user authentication method To change the user authentication method: 1. On the Explorer menu, choose Administration, and then Users and Permissions. The Users and Permissions subwindow opens. 2. In the object tree, choose Users. The Users subwindow opens. 3. In the user list, select the check box of each user for which you want to enable or disable linkage with the external authentication server, and then click the Change Auth button.
PAGE 42
Security function operations 7-1-5-1 Add User dialog box Use the Add User dialog box to add a user account for HP StorageWorks P9000 Command View Advanced Edition Suite software. The table below describes the items displayed in the dialog box. Required items are indicated with an asterisk (*). Profile *User ID *Password *Verify Password Full Name Enter a user ID. • The character string you enter must be no more than 256 characters.
PAGE 43
Security function operations E-mail Description whose Unicode code points are in the range from U+10000 to U+10FFFF. The full name entered here is displayed in the global tasks bar area when the user logs in. Enter an email address. Enter a description of the user. The character string you enter must be no more than 80 characters. Note, however, that you cannot use characters whose Unicode code points are in the range from U+10000 to U+10FFFF. 7-1-6 Deleting users To delete multiple users at one time: 1.
PAGE 44
Security function operations Profile User ID Status Authentication Full Name E-mail Description The user ID is displayed. The status of the user account is displayed. If the user account is locked, Locked is displayed. If the user account is not locked, Active is displayed. One of the following is displayed as the authentication method for the user account: • Internal: Indicates that the user account is authenticated by HP StorageWorks P9000 Command View Advanced Edition Suite software.
PAGE 45
Security function operations To edit user profile information: 1. On the Explorer menu, choose Administration, and then Users and Permissions. The Users and Permissions subwindow opens. 2. In the object tree, select a user ID under Users. The user-ID subwindow opens. 3. Click the Edit Profile button. The Edit Profile - user-ID dialog box opens. 4. Edit the user information, and apply the changes. The user information displayed in the user-ID subwindow is refreshed.
PAGE 46
Security function operations The password changes. 7-1-9-1 Change Password - dialog box Use the Change Password - user-ID dialog box to change a user's password. The table below describes the items displayed in the dialog box. Required items are indicated with an asterisk (*). Password settings *New Password *Verify Password Enter the new password. The character string you enter must be no more than 256 characters.
PAGE 47
Security function operations Admin Modify Execute View Peer Select this check box to add the Admin permission for the user. If the Admin check box under User Management is selected, the user can manage users registered in all HP StorageWorks P9000 Command View Advanced Edition Suite software. Select this check box to add the Modify permission for the user. Select this check box to add the Execute permission for the user. Select this check box to add the View permission for the user.
PAGE 48
Security function operations Application list Application Host Name/IP Address Total number of Authorized User Total number of Authorized User and Group User Management and HP StorageWorks P9000 Command View Advanced Edition Suite software names are displayed. User Management indicates the Admin permission that permits management of the users of all HP StorageWorks P9000 Command View Advanced Edition Suite software. When you choose one of the displayed items, the applicationname subwindow opens.
PAGE 49
Security function operations View Peer tasks defined by users that have Modify permission. Users that have Execute permission cannot define, edit, or delete tasks. A check mark is displayed for this item if the user or authorization group has View permission for the product. Users that have View permission can view the information about allocated resources. A check mark is displayed for this item if the user or authorization group has Peer permission for the product.
PAGE 50
Security function operations 2. In the object tree, choose Users. The Users subwindow opens. 3. In the user list, select the check box of each user whose account you want to unlock, and then click the Unlock Users button. The Unlock Users dialog box opens. 4. Confirm the users whose accounts will be unlocked, and continue operation. The lock status of the users listed in the Users subwindow is updated.
PAGE 51
Security function operations View Peer permission for HP StorageWorks P9000 Command View Advanced Edition Suite software. A check mark is displayed for this item if the user has View permission for HP StorageWorks P9000 Command View Advanced Edition Suite software. A check mark is displayed for this item if the user has Peer permission for HP StorageWorks P9000 Command View Advanced Edition Suite software.
PAGE 52
Security function operations 7-2 Explorer menu items related to setting up security To specify the security-related settings, display the Explorer menu, and then choose Security on the menu. Note that Security is displayed on the Explorer menu for only users that have the User Management Admin permission. No other users can specify security-related settings. 7-2-1 Security subwindow Use the Security subwindow to set security management options.
PAGE 53
Security function operations Allow password to be the same as the User ID characters, and symbols) in the password is displayed: • uppercase: The minimum number of upper-case letters that must be used in the password is displayed. • lowercase: The minimum number of lower-case letters that must be used in the password is displayed. • numeric: The minimum number of numeric characters that must be used in the password is displayed.
PAGE 54
Security function operations used in the password. You can specify a value from 0 to 256. numeric (0 - 256) Specify the minimum number of numeric characters that must be used in the password. You can specify a value from 0 to 256. • symbolic (0 - 256) Specify the minimum number of symbols that must be used in the password. You can specify a value from 0 to 256. Specify whether the character string used for the user ID can also be used for the password.
PAGE 55
Security function operations 1. On the Explorer menu, choose Administration, and then Security. The Security subwindow opens. 2. In the object tree, choose Account Lock under Security. The Account Lock subwindow opens. 3. Click the Edit Settings button. The Account Lock dialog box opens. 4. Change the setting for the automatic account locking, and then apply the change. The automatic account locking setting displayed in the Account Lock subwindow is updated.
PAGE 56
Security function operations 1. On the Explorer menu, choose Administration, and then Security. The Security subwindow opens. 2. In the object tree, choose Warning Banner under Security. The Warning Banner subwindow opens. 3. Click the Edit Message button. The Edit Message dialog box opens. 4. Edit the message to be set as the warning banner, and apply the change. Before you apply the change, click the Preview button, and confirm that the message written in HTML format is displayed as you want it to be.
PAGE 57
Security function operations The number of successive login failures is reset to 0 whenever a login is successful, regardless of whether the correct password was entered from the User Login window or as a command option. 7-3-3 Note on commands To keep the system running properly, be extra careful when executing TOE commands during operation. For example, the hcmdsintg, hcmdsdbtrans and hcmdsdbmove commands are used to move authentication and permission information from the current machine to a new machine.
PAGE 58
Security function operations Table 7-1 Environments in which the Device Manager GUI can be used OS Windows Server 2008 (x64) SP2#1 Windows Server 2008 R2 (x64) (no service pack#1) Red Hat Enterprise Linux 5.2 (x86) Red Hat Enterprise Linux AP 5.2 (x86) Red Hat Enterprise Linux 5.3 (x86 or x64) Red Hat Enterprise Linux AP 5.3 (x86 or x64) Red Hat Enterprise Linux 5.4 (x86 or x64) Red Hat Enterprise Linux AP 5.
PAGE 59
Support and other resources 8 Support and other resources 8-1 Contacting HP 8-1-1 HP technical support For worldwide technical support information, see the HP support website: http://www.hp.
PAGE 60
Support and other resources Table 8-1 Product reference conventions Product reference Full name or meaning Command View Advanced Edition • HP StorageWorks P9000 Command View Advanced Edition software Replication Manager • HP StorageWorks P9000 Replication Manager software Tiered Storage Manager • HP StorageWorks P9000 Tiered Storage Manager software Tuning Manager • HP StorageWorks P9000 Tuning Manager software 60