Highlighted
3 Silver

symauth and symacl questions

Jump to solution

Hi,

I'm actually working for a customer wishing to secure it's VMAX environnement so that only those working with storage environnement  can actively administrate the storage array.  The request come from the fact that anyone logging onto management console having Solutions Enabler, will be able to execute commands on the array.

In order to secure the arrays from non-storage administrator, i have activated "symauth" in the following way:

-I create a Windows Domain account (D:) for each storage administrator in the authentification DB of each VMAX

-I have also created a local account on each console (in case the Windows Domain is not accessible)

--> I have enabled "symauth" in enhenced mode in order to limit access to only the users registered on each VMAX

Can anyone who used this fonctionnality able to tell me it is the right way to use it ?

Also, the customer has a AIX server that will be used to SNAP volumes from the VMAX and wish to limit it's access to only SE TF/SNAP operations.  I know i should use the "symacl" command to do so, but am unsure of where to start. I have 3 SE installed in the environnement, 2 are installed on management console and 1 is on AIX server.

-On the management consoles (Unisphere), should i leave the base configuration in place (UNKNOWN_GRP) ?  Or should i add new ACL and remove the base configuration ?

-What ACL configuration should i place on the AIX server ?

Thank you,

Christian

0 Kudos
1 Solution

Accepted Solutions
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

The SYMACL should be configured using SYMMWIN. This is an online procedure and it wont take more than 2 minutes then like Saurabh said you continue working on the rest of configurations using SE.

For your questions regarding ACL on AIX server:

If you want to limit the use only to TF/SNAP then your configuration should be as follows (Assuming you've enabled it from SYMMWIN already):

For your ACE, you will need to assign at least BASE and SNAP permissions for your controlled devices “accpool” for your AIX server group “accgroup”.

grant access=BASE to accgroup “name” for accpool “name”;

grant access=SNAP to accgroup “name” for accpool “name”;

Alternatively, You can use the ALL devs instead of accpool but this is less restrictive.

grant access=BASE to accgroup “name” for ALL devs;

grant access= SNAP to accgroup “name” for ALL devs;

The managemnt Console should have ADMIN privillage as it will use (as per my understanding) to manage the whole symmetrix. I do not recommend mixing SYMAUTH and SYMACL on the same environment but i have seen configurations where both are implemented. It is up to your customer security policy but both can be configured on the same environment.

Let me Know if you have further questions

Mohammed Salem

View solution in original post

0 Kudos
17 Replies
Highlighted
4 Germanium

Re: symauth and symacl questions

Jump to solution

Please consider moving this question as-is (no need to recreate) to the proper forum for maximum visibility.  Questions written to the users' own "Discussions" space don't get the same amount of attention and questions can go unanswered for a long time.

You can do so by selecting "Move" under ACTIONS along the upper-right.  Then search for and select: "Symmetrix Support Forum" which would be the most relevant for this question.

0 Kudos
Highlighted
4 Tellurium

Re: symauth and symacl questions

Jump to solution

symacl needs to be enable in the BIN and then configure through SE.

Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

The ACL helps to restrict for a server from where you would like to control the array irrelevant of the SYMAUTH.

If auth is configured then those user who got rights can do the administration from the servers configured with symacl.

Only symacl will put or give path to all the users on the system to do storage administration.

Hope the user account is unique to a person.

With the ACL you have to be cautious, if you forgot to add the newly created devices in user defined ACL groups / pools then you may end up troubleshooting.

Its you're choice to decide whether you need only SYMAUTH or both. Cause, I do not see a strong reason to use both.

Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

The SYMACL should be configured using SYMMWIN. This is an online procedure and it wont take more than 2 minutes then like Saurabh said you continue working on the rest of configurations using SE.

For your questions regarding ACL on AIX server:

If you want to limit the use only to TF/SNAP then your configuration should be as follows (Assuming you've enabled it from SYMMWIN already):

For your ACE, you will need to assign at least BASE and SNAP permissions for your controlled devices “accpool” for your AIX server group “accgroup”.

grant access=BASE to accgroup “name” for accpool “name”;

grant access=SNAP to accgroup “name” for accpool “name”;

Alternatively, You can use the ALL devs instead of accpool but this is less restrictive.

grant access=BASE to accgroup “name” for ALL devs;

grant access= SNAP to accgroup “name” for ALL devs;

The managemnt Console should have ADMIN privillage as it will use (as per my understanding) to manage the whole symmetrix. I do not recommend mixing SYMAUTH and SYMACL on the same environment but i have seen configurations where both are implemented. It is up to your customer security policy but both can be configured on the same environment.

Let me Know if you have further questions

Mohammed Salem

View solution in original post

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi,

Thank you for you answers.  I will continu working on this soon and will return if i have further questions.

Christian

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Mohammed,

Just to confirm, the symacl command is used to give or restrict access to a host, so do i need to be connected on that host in order to run the symacl command for that specific host ?

Thank you,

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

In order to run SYMACL commands you need to be connected to any SE host that has privileges to do so. You can create and edit new ACLs for any host from any management host that is permitted to do so. You do need to get the unique identifier of the specific host you would like you to create ACLs for directly from that host though. So if you need to create ACL rule for host B (which is currently not authorized) you would need to first log on to host B and run:

C:\>symacl -unique

The unique id for this host is: 2C5D07AF-54448CC9-9A3B7D7C

This gives you the unique identifier of that host. You would need to then go to another host that is currently authorized, lets say host A to create the ACLs for host B. You can then use host B to run commands allowed by the new ACLs.

Furthermore, by default any client that connects to that host B to issue SYMAPI calls remotely will inherit the ACLs of that server. But it can also be configured in a way for clients to have their own ACLs--this is non-default. Refer the Solutions Enabler guide for more information on that.

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Cody,

Thank you for you answer.  Following are some questions i have about this fonctionality.

From what Mohammed and you answered, i'm thinking that i could put more than one unique ID in the ACCGROUP, that is if the hosts have the same rights in the end.

--> Console 1 and console 2 are used to manage all VMAX environnement:

ACCGROUP:

add host accid xxxxxxxx-xxxxxxxx-xxxxxxxx name WITPP01CON33 to accgroup UNISPHERE;

add host accid xxxxxxxx-xxxxxxxx-xxxxxxxx name WITPP02CON33 to accgroup UNISPHERE;

ACE:

grant access=ADMIN to accgroup “UNISPHERE” for ALL devs;

Also, the documentation, mention to enter a PIN when you commit the creation of an ACCGROUP, do you know what this is about ?

The customer is also asking if for some reason a bad SYMACL change is done, if it can be simply de-activated, i guess so via EMC support (SYMMWIN) ?

And finaly, can you confirm me that the creation of ACL is done to secure hosts that are using SE only and will not cause interruption for the other hosts that are masked in the environnement ?

I know it's a lot of questions (first time using this functionality), but all the help you can give me will be very appreciated.

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

You're welcome!

Yes--you can add multiple identifiers to one access group--this is the preferred option in many cases. The mgmt guide talks about this in detail: https://support.emc.com/docu46983_Solutions-Enabler-Symmetrix-Array-Management-CLI--7.6-Product-Guid...

Q: Also, the documentation, mention to enter a PIN when you commit the creation of an ACCGROUP, do you know what this is about ?

A: The pin is created in SYMMWIN by PSE when enabling ACLs. This allows you to make changes to ACLs. We enforce the use of this to make sure ACLs are implemented properly with EMCs supervision/approval.


Q: The customer is also asking if for some reason a bad SYMACL change is done, if it can be simply de-activated, i guess so via EMC support (SYMMWIN) ?

A: You should always make sure a mgmt host is created that has the ability to undo changes that are incorrect or have unintended consequences. But yes, PSE has the ability to correct errors if they are unrecoverable by the customer. But we recommend that ACLs be carefully planned with EMC and the customer so this does not happen. Ensure careful change request procedures are created and followed.


Q: And finaly, can you confirm me that the creation of ACL is done to secure hosts that are using SE only and will not cause interruption for the other hosts that are masked in the environnement ?

A: ACLs will never interrupt normal host I/O in any situation. ACLs only prevent management changes but will never interfere with data access


Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Cody,

When i'm looking at the "symacl list -v" command, on one of the console Unisphere, i see that now it is not ADMIN (SYMACL is not active in SYMWIN at the moment).  Once it is activated in SYMWIN, i guess that the first ACL to put active would be an ADMIN right for the consoles.  Doing so, i would be able to remove an incorrect ACL from another server, it that correct ?

Thank you,

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

Correct. When EMC enables it they will work with you to make sure that you have configured at least one admin host (usually two) and those hosts will be able to remove incorrect ACLs from then on.

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Cody,

Thank you for your answer.  I understand it is not quite recommanded to put in place "symauth" and "symacl" at the same time on the same environnement.  Can you tell me if by using "symauth" one can limit a user to only SNAP operations ?

Thank you,

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

No only symacl has the granularity to restrict a user to performing snap operations--symauth cannot do this.

What do you mean not recommended together? There are plenty of customers who use both--it might be advisable to implement them one at a time opposed to simultaneously to keep the roll out simpler, but I am not aware of recommendations against using both. If there is please point me to where it says that so I can inquire.

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Cody,

Thank you, i sent you an email about that.

Hmm, yesterday, i have tried communicating with EMC support in order to have the symacl activated on symmwin, but the people i talked to told me that with code 5876.251.161, the symacl functionality is active by default.  Are you aware of something like that ?

Thank you,

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

Christian,

This would be news to me, just to check I have looked over the latest documentation/release notes and support articles and see no mention of this change. While it is true that ACLs are enabled by default (since late DMX days) a CE still needs to initialize the ACL database and supply the customer-created PIN from the Service Processor.

0 Kudos
Highlighted
3 Silver

Re: symauth and symacl questions

Jump to solution

Hi Cody,

Ok, it make sense now, it is not the EMC Support or PSE lab that initialised the DB and create PIN, but a CE.  That is different.  I was not talking to the right person.

Once the CE has done it's job, will i be able to assign full rights on the management servers having SE, because as of now they're not ADMIN.

Please see below the output of symacl list -v command:

Access Control         : N/A
Session Locked         : N/A
Time Held in Seconds   : 0
Lock Identifier        : N/A

Time Enabled           : N/A
Time Disabled          : N/A
Time Updated           : N/A

ADMIN priv             : No
ADMINRD priv           : No

Lastly, i have two VMAXs, so both need to have the symacl activated if i want the management servers to manage both of them ?

Thank you again for the input you would be able to give me.

Christian

0 Kudos
Highlighted
3 Argentum

Re: symauth and symacl questions

Jump to solution

When the CE initializes ACLs on the array they will also ask you for a mgmt host to configure in the system to allow for management. You will then be able to do what you want from that management host.

A SE instance can manage multiple arrays with ACLs on none, some or all of them. For every array (that has ACLs enabled) that you want a given SE host to manage you will need to give it specific ACLs on those given arrays.

0 Kudos