Data Domain 8.7 Upgrade Detects Insecure Anonymous Replication Settings
Summary: DDoS 8.7 introduces a check that triggers a warning alert when file replication is configured with anonymous authentication, encouraging the use of stronger authentication methods for improved security. ...
Symptoms
Upgrading to 8.7 triggers the following alerts about replication:
Current Alerts
--------------
Id Post Time Severity Class Object Message
------ ------------------------ -------- ----------- ------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------
m0-80 Thu Mar 26 13:38:24 2026 WARNING Replication RemoteHost=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx EVT-REPL-00017: Replication between this system and xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is using an insecure anonymous-authentication configuration.
m0-81 Thu Mar 26 13:38:24 2026 WARNING Replication RemoteHost=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx EVT-REPL-00017: Replication between this system and xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is using an insecure anonymous-authentication configuration.
m0-82 Thu Mar 26 13:38:24 2026 WARNING Replication RemoteHost=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx EVT-REPL-00017: Replication between this system and xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is using an insecure anonymous-authentication configuration.
m0-83 Thu Mar 26 13:38:24 2026 WARNING Replication RemoteHost=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx EVT-REPL-00017: Replication between this system and xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx is using an insecure anonymous-authentication configuration.
------ ------------------------ -------- ----------- ------------------------------------------ ------------------------------------------------------------------------------------------------------------------------------------------------Cause
In DDoS version 8.7, a validation check was introduced for file replication configuration settings. Specifically, the system evaluates whether anonymous authentication is enabled for file replication.
If this setting is detected, the system generates a warning alert. This alert is informational and is intended to highlight a potential security risk rather than indicate a functional failure.
Anonymous authentication allows replication without verifying the identity of the connecting system, which may reduce the overall security posture in certain environments.
To improve security, customers can configure stronger authentication methods such as:
One-way authentication - verifies the identity of one endpoint.
Two-way (mutual) authentication - verifies both endpoints for enhanced trust.
These stronger authentication modes help ensure that replication occurs only between trusted systems and provide an additional layer of protection.
Resolution
sysadmin@DD6900-2# ddboost file-replication option show
Option Value
------------------- --------
Low-bw-optim disabled
Encryption enabled
Authentication-mode anonymous
Ipversion ipv4
Retry-count 20
Retry-interval 30
------------------- --------
sysadmin@DD6900-2#
Set ddboost file-replication to either one-way or two-way.
sysadmin@DD6900-2# ddboost file-replication option set encryption enabled authentication-mode one-way
Encryption for file-replication set to "enabled".
Authentication-mode is "one-way".sysadmin@DD6900-2# ddboost file-replication option set encryption enabled authentication-mode two-way
Encryption for file-replication set to "enabled".
Authentication-mode is "two-way".sysadmin@DD6900-2# ddboost file-replication option show
Option Value
------------------- --------
Low-bw-optim disabled
Encryption enabled
Authentication-mode one-way
Ipversion ipv4
Retry-count 20
Retry-interval 30
------------------- --------sysadmin@DD6900-2# ddboost file-replication option show
Option Value
------------------- --------
Low-bw-optim disabled
Encryption enabled
Authentication-mode two-way
Ipversion ipv4
Retry-count 20
Retry-interval 30
------------------- --------