Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
  • Manage your Dell EMC sites, products, and product-level contacts using Company Administration.
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Article Number: 000019556

ECS: How to lock or unlock remote access to nodes

Summary: Node locking provides another layer of security against remote node access from all accounts.

This article may have been automatically translated. If you have any feedback regarding its quality, please let us know using the form at the bottom of this page.

Article Content

Instructions


This article is an extract from the "ECS 3.0 Administrator's Guide" what can be downloaded here: https://support.emc.com/docu79367_ECS_3.0_Administrator's_Guide.pdf?language=en_US 

Lock and unlock nodes. 
Use the portal to lock and unlock remote SSH access to ECS nodes.

Before beginning:
This task is done by the Lock Admin (login: emcsecurity).

Locking a node only prevents remote access to the operating system of the node by
SSH or the CLI. Locking or unlocking a node has no effect on ECS Portal or REST
Management API functions or on directly connecting to a node locally and then using
SSH or the CLI.

Procedure
1. Login in as emcsecurity:
If this is the first login from this account, require the change of the password and relogin.
 
2. From the left side of the navigation pane, select Settings > Platform Locking.
The screen lists the nodes in the cluster and displays their lock status.
  kA5f1000000Xa03CAC_1_0
The node states are:
  • Unlocked: Displays an open green lock icon and the Lock action button
  • Locked: Displays a closed red lock icon and the Unlock action button
  • Offline: Displays the circle-with-slash icon and no action button because the node is unreachable and the lock state cannot be determined
3. Choose:
Option Description
Lock To lock an unlocked node. Any user who is remotely
logged in by SSH or CLI is given five minutes to exit
before their session is terminated. An impending shutdown
message appears on the user's terminal screen.
Unlock To unlock a locked node. A privileged user can
remotely log in to the node by SSH or the CLI after a few minutes.
Lock the
VDC		 This convenience feature locks all unlocked nodes in the VDC as
long as they are online. It does not set a state where any new or
offline node is automatically locked once detected.
    

Additional Information

Locking remote access to nodes
Use the ECS Portal to lock remote access to nodes.
Access types
ECS can be configured in the following ways:
  1. Using the ECS Portal or the ECS Management API.
  2. By directly connecting to a node through the management switch with a service
    laptop and using SSH or the CLI to directly access the node's operating system.
  3. By remotely connecting to a node over the network using SSH or the CLI to
    directly access the node's operating system.
Node locking provides another layer of security against remote node access from all
accounts. Without node locking, any privileged node-level account. Such as the
admin, service, or Dell accounts, can remotely access nodes at any time. To collect
data, configure hardware, and run Linux commands. If all the nodes in a cluster are
locked, then remote access can be planned and scheduled for a defined window
minimizing the opportunity for unauthorized activity.

Using the ECS Portal or the ECS Management API, can lock selected nodes in a
cluster or all the nodes in the cluster. Doing so only affects the ability to remotely
access (SSH to) the locked nodes. Locking does not change the way the ECS Portal
and ECS Management APIs access nodes and it does not affect the ability to directly
connect to a node.

Lock Admin
To lock and unlock nodes, requires the Lock Admin user. The Lock Admin is a preprovisioned
local user called emcsecurity. Lock Admins can only change their
passwords and lock and unlock nodes. The Lock Admin role cannot be assigned to
another user.
System Admins and System Monitors can view the lock status of the nodes.

Maintenance
If node maintenance using remote access is periodically required, can unlock a
single node to allow remote access to the entire cluster using SSH with the admin or
Dell account. Once the authorized user successfully logs in the unlocked node using
SSH, the user can SSH from that node to any other node in the cluster by way of the
private network.
It is necessary to unlock a node to remotely use commands that provide OS-level
read-only diagnostics.

Auditing
Node lock and unlock events are captured in audit logs and also sent to Syslog. Errors
from lock or unlock attempts are also logged.

ECS Management API
The following APIs allow the managing of node locks.
Resource Description
GET /vdc/nodes Gets the data nodes that are configured in the cluster
GET /vdc/lockdown Gets the locked or unlocked status of a VDC
PUT /vdc/lockdown Sets the locked or unlocked status of a VDC
PUT /vdc/nodes/{nodeName}/lockdown Sets the Lock or unlock status of a node.
GET /vdc/nodes/{nodeName}/lockdown Gets the Lock or unlock status of a node.

Article Properties

Affected Product

ECS Appliance

Product

ECS Appliance, Elastic Cloud Storage

Last Published Date

07 Mar 2023

Version

3

Article Type

How To

Back to Top