You are on page 1of 17

EMC Solutions Enabler

V7.3
Security Configuration Guide
P/N 300-012-677 A01

EMC
Corporate Headquarters
Hopkinton, MA 01748-9103
1-508-435-1000
www.EMC.com

EMC Corporation
Copyright 2011 EMC Corporation. All rights reserved.
Published June, 2011
EMC believes the information in this publication is accurate as of its publication date. The information is subject to
change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS
PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE.
Use, copying, and distribution of any EMC software described in this publication requires an applicable software
license.
For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com.
All other trademarks used herein are the property of their respective owners.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation
Table of Contents
1

Overview ................................................................................................................................. 4

Security Configuration Settings .............................................................................................. 4


2.1

Introduction ...................................................................................................................... 4

2.2

Access Control Settings .................................................................................................. 5

2.2.1

User authentication .................................................................................................. 5

2.2.2

Authorization for Symmetrix Arrays ......................................................................... 5

2.3

2.3.1

Log description ........................................................................................................ 6

2.3.2

Log Settings ............................................................................................................. 7

2.4

Log Files and Settings ..................................................................................................... 6

Communication Security Settings .................................................................................... 8

2.4.1

Port usage ............................................................................................................... 8

2.4.2

Port settings ............................................................................................................. 9

2.4.3

Network encryption .................................................................................................. 9

2.4.4

Client / Server settings............................................................................................. 9

2.4.5

SSL Settings .......................................................................................................... 11

2.4.6

SSL settings ........................................................................................................... 13

2.5

Data security .................................................................................................................. 14

2.6

Other security considerations ........................................................................................ 15

2.6.1

Daemon processes on UNIX ................................................................................. 15

2.6.2

Securing Solutions Enabler configuration files ...................................................... 15

2.6.3

Running commands as a non-privileged user ....................................................... 15

Secure deployment and usage ............................................................................................. 16


3.1

Guidelines for securely deploying Solutions Enabler .................................................... 16

3.1.1
4

Securely enabling client/server operations ............................................................ 16

Secure Maintenance ............................................................................................................. 17


4.1

Backup of Solutions Enabler state................................................................................. 17

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation

1 Overview
This guide describes the security configuration settings available in Solutions Enabler, along with
information on how to securely deploy, use, and maintain the product. It is divided into the
following sections:

Security Configuration Settings describes Solutions Enabler security settings.

Secure Deployment and Usage provides instructions on how to deploy and use
Solutions Enabler securely.

Secure Maintenance provides recommendations for safeguarding data maintained by


Solutions Enabler.

2 Security Configuration Settings


2.1 Introduction
Solutions Enabler security settings fall into the following categories:

Access control settings limit access by end-user or by external product components.

Log files and settings control event logging and associated files.

Communication security settings provide security for the product network


communications.

Data security settings ensure protection of the data handled by the product.

Other security considerations describes other security settings critical to Solutions


Enabler operations.

In the discussion that follows, <SYMAPI_HOME> refers to the base file system location used for
Solutions Enabler data and configuration files. Unless this is overridden during installation
(Windows), this will be:
Windows:
UNIX (and UNIX-based systems):

C:\Program Files\EMC\SYMAPI
/var/symapi

Open VMS file locations are discussed in the Solutions Enabler Installation Guide.
Note: Whenever pathnames are presented within this document, they are done so using a UNIXspecific format, using forward slashes (/) instead of backslashes (\) that are typically used in
Windows platforms.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation
2.2 Access Control Settings
2.2.1 User authentication
Solutions Enabler does not support an explicit authentication mechanism for users. When using
SYMCLI commands, Solutions Enabler uses the credentials users supply when logging onto the
local systemas provided by the operating system. When using Symmetrix Management
Console (SMC), SMC passes the users authenticated identity to Solutions Enabler.
Internally, Solutions Enabler represents a user identity as a string that comprises the users name
along with how (and where) they were originally authenticated. The possible encodings are:
H:HostName\UserName

A user authenticated by the local operating system.

D:DomainName\UserName

A user authenticated by a specific Domain on


Windows.

L:ServerName\UserName

A user authenticated by an LDAP Server. [SMC only]

C:HostName\UserName

A user authenticated by the private SMC


authentication service on some host. [SMC only]

V:DomainName|UserName

A user authenticated by a Virtualization Domain.


[SMC only]

Solutions Enabler uses these identities in a number of ways. A user name is included in records
that are written to the Symmetrix arrays secure Audit Log. This identifies the user that initiated
the activity being logged. A user identity is basis for optional user authorization rules that restrict
management access to Symmetrix arrays.

2.2.2 Authorization for Symmetrix Arrays


There are two authorization mechanisms, Symmetrix Access Control and Symmetrix User
Authorization, used to restrict management operations on Symmetrix arrays.
Note: This document only describes Solutions Enabler management operations and does not
cover data access using device masking, Auto-provisioning, or IPSec capabilities.
Symmetrix Access Control allows you to restrict what hosts can perform what management
operations (by command) against what devices on a Symmetrix array. Using the symacl
command or SMC, restrictions can be placed on the types of operations that can be performed
from a host, along with the specific devices they can, or cannot, be performed against. For
additional information, refer to the EMC Solutions Enabler Symmetrix Array Management CLI
Product Guide.
In contrast, Symmetrix User Authorization assigns individual users to roles to limit the
management operations that they can perform. The roles define a set of restrictions for the users.
User Authorization does not provide functionality-based control over credentials as Symmetrix
Access Control does. Using the symauth command or SMC, users can be assigned to
management roles that restrict the types of operations that they are permitted to perform. For
additional information, refer to the EMC Solutions Enabler Symmetrix Array Management CLI
Product Guide.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation
2.3 Log Files and Settings
2.3.1 Log description
Solutions Enabler maintains the following log files.

Log type and location


Solutions Enabler Log Fileslog files
<SYMAPI>/log/symapi_yyyymmdd.log

Description
Where yyyymmdd is the numerical value for the
year, month, and day. For example,
symapi_20100920.log is the log for
September 20, 2010.
Solutions Enabler writes errors and other
significant conditions to this log.
By default, Solutions Enabler does keeps these
files forever. Setting the
SYMAPI_LOGFILE_RETENTION option,
described on page 7, configures at what point in
time after creation these files should be
automatically removed.

Daemon Log Fileslog files


<SYMAPI>/log/storXXXX.log0
<SYMAPI>/log/storXXXX.log1

Where storXXXX is the name of the daemon.


For example: storapid.log0,
storapid.log1, storgnsd.log0,
storgnsd.log1.
Each Solutions Enabler daemon maintains a pair
of log files. The daemons alternate between
these two files, switching from one to the other,
when the default maximum size of approximately
1 MB is reached.

Symmetrix Audit Log


Maintained on the Symmetrix array.

A secure audit log containing a record of


configuration changes, security alarms, service
operations, and security-relevant actions
maintained on each Symmetrix array. Records
are written to this by Solutions Enabler, software
running on the Service Processor, and the
Enginuity Operating Environment. Information
from this log can be retrieved using the
symaudit SYMCLI command.
For more information on this audit log, refer to
the EMC Solutions Enabler Symmetrix Array
Management CLI Product Guide.
The Solutions Enabler event daemon
(storevntd) can be configured to automatically
stream audit entries from this log to an external
log service (EMC RSA Envision, Syslog, SNMP,
or the Windows Event Service) automatically as
they appear. For more information on configuring
the Solutions Enabler event daemon, refer to the
EMC Solutions Enabler Installation Guide.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation

2.3.2 Log Settings


The following option setting controls how long the Solutions Enabler log files are retained.
Option name and Location

Description

SYMAPI_LOGFILE_RETENTION = NN

Solutions Enabler log files, discussed previously, can


be automatically removed NN days after they were
created.

<SYMAPI_HOME>/config/options

Note: The log files might not be removed after the


NN days are reached. This value indicates to the
system when a given file can be removed by the
logging logic during its normal operation.
Valid values for NN are between 5 and 1825 (or
between 5 days and 5 years). If running on the
Symmetrix service processor, you can only set this
to the default value 0 (keep them forever) or 30.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation
2.4 Communication Security Settings
2.4.1 Port usage
The following network ports are used by Solutions Enabler.

Component
Client / Server

Protocol
TCP/IP

Port
2707

Description
In client/server mode, Solutions Enabler Server
(storsrvd daemon) listens on this port for
connections from client hosts.
You can change the default port as described
in "Port settings on page 9.

Event Daemon

TCP/IP

Dynamically
Assigned

In client/server mode, the event daemon


(storevntd) on a client host listens on this
port for asynchronous events sent to it from a
server host. By default, this is picked at
random by the client side event daemon.
Refer to Port settings on page 9 for
information on setting a specific port value.

CLARiiON

TCP/IP

443 or 2163

A configuration file on CLARiiON storage


arrays controls whether it listens for
connections from management hosts over
ports 443 or 2163. When Solutions Enabler
needs to communicate with the array, it
attempts both values.

If a Firewall or Network Address Translator is present between communicating entities, these


portsor ones you have configuredneed to be open. Most often, this would be:

A firewall between Solutions Enabler client and server hosts.

A firewall between management server and CLARiiON array.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation

2.4.2 Port settings


Option location and name

Description

storsrvd:port = NN
<SYMAPI_HOME>/config/daemon_options

On the server hosts, this directs Solutions


Enabler server (storsrvd) to listen for
connections at this port instead of the default
2707.
If the default value is changed for the server,
client hosts must be configured to the
alternate portas described in
storevntd:event_listen_port.

SvcName - TCPIP HostName - NN SECURE


<SYMAPI_HOME>/config/netcnfg

storevntd:event_listen_port = NN
<SYMAPI_HOME>/config/daemon_options

On client hosts, the netcnfg file is used to


map service names (SvcName), used with
the SYMCLI, to a host (HostName) and port
(NN) on which the appropriate server is
listening. If a non-default server port is
configured, corresponding changes have to
be made to clients in this file as well. For
more information, refer to Client Host SSL
Control on page 12.
In client/server mode, the event daemon,
storevntd, on a client host listens on this
port for asynchronous events sent to it from
a server host. By default, this is picked at
random by the client side event daemon.
On client hosts, this setting directs the event
daemon to listen at this specific port for
events sent from the server host instead of
using a random port assigned by the local
operating system. This setting is
automatically transmitted to the server hosts
as needed.

2.4.3 Network encryption


By default, traffic transmitted between client and server hosts is encrypted using SSL. The
following cryptographic algorithms are employed:
SSLv3 with AES-256 + SHA1

2.4.4 Client / Server settings


In Solutions Enabler client/server mode, client host operations are automatically forwarded to the
storsrvd daemon on a server host for execution. For additional information, refer to the EMC
Solutions Enabler Installation Guide.
By default, traffic transmitted between client and server hosts is encrypted using SSL. A number
of mechanisms are available to operate these connections in a secure manner as described next.

Solutions Enabler V7.3 Security Configuration Guide

EMC Corporation
2.4.4.1 Running the Solutions Enabler Server
The Solutions Enabler server daemon, (storsrvd) does not run by default. It must be explicitly
started before it is can accept connections from remote clients. It can be configured to start
automatically whenever a server host starts by running the following command:
stordaemon install storsrvd -autostart
Daemons are started diffenrently on z/OS and Open VMS platforms. Refer to the EMC Solutions
Enabler Installation Guide for details.

2.4.4.2 Restricting access to the Solutions Enabler server


Use the <SYMAPI_HOME>/config/nethost file on a server host to restrict the hosts and users
from which that storsrvd accepts connections. If this file is not present, connections are
accepted from all client hosts.
When in use, each line of the nethost file identifies acceptable hosts, each with a comma
separated list of user names. A user list of * means that all users from that host are allowed.
Connections from other hosts (and users) will not be permitted. For example:
# From Client host Saturn, all users may connect.
saturn

# From Client host Jupiter, only users joe and sally may connect.
jupiter

joe, sally

# An IP address can be used instead of a host name.


180.100.90.75 *
When a connection is refused, an error message containing the requesting clients user and host
name is written to the storsrvd.log0 or storsrvd.log1 file on the server.

2.4.4.3 Restricting functionality in the Solutions Enabler server


Settings in the <SYMAPI_HOME>/config/options file on a server host can be used to restrict
the functionality that storsrvd is allowed to perform on behalf of remote client hosts. The
options are listed in the next table.

Option Name
( within <SYMAPI_HOME>/config/options )
SYMAPI_ACC_ADMIN_VIA_SERVER

Description
Symmetrix Access Control
changes.
This defaults to ENABLE.

SYMAPI_ACC_DISPLAY_VIA_SERVER

Symmetrix Access Control


information displays.
This defaults to ENABLE.

SYMAPI_ALLOW_SCRIPTS_VIA_SERVER

Symmetrix TimeFinder pre-action


and post-action scripts.
This defaults to DISABLE.

Solutions Enabler V7.3 Security Configuration Guide

10

EMC Corporation
SYMAPI_CTRL_VIA_SERVER

Symmetrix control operations in


general.
This defaults to ENABLE.

a. When set to DISABLE, this class of functionality is not available through the server.

2.4.4.4 IBM z/OS-specific behavior


Solutions Enabler does not perform any explicit SAF checks as it performs operations.
By default, a Solutions Enabler server running on a z/OS host does not perform any configuration,
SRDF or TimeFinder control operations when requested by a remote client host. To enable these
types of operations, an optional configuration step is required at the server. For additional
information, refer to "Authorizing Control Operations" in the EMC Solutions Enabler Installation
Guide.
Caution: As previously mentioned, no SAF security checks are made during control operations.
By enabling them, you make it possible for remote open systems users, in client/server mode, to
make changes to the Symmetrix configuration on your mainframe system.

2.4.5 SSL Settings


Solutions Enabler uses SSL to secure communications between client and server hosts where
possible.
Note: Solutions Enabler does not support SSL on iSeries, BS2000, OpenVMS, or Linux on PPC
hosts.

2.4.5.1 Server Host SSL Control


When running SSL, a Solutions Enabler server by default only accepts connections from clients if
SSL can be used to secure the connection. To allow non-secure connections from clients that
cannot (or are configured not to) use SSL, add the following to the
<SYMAPI_HOME>/config/daemon_options file on a server host:
storsrvd:security_level = ANY
This configures the server to use SSL where possible and allow non-secure connections if the
client cannot use SSL.
Note: This only works if the corresponding client allows non-SSL connection, as described in
Client Host SSL Control on page 12.

Solutions Enabler V7.3 Security Configuration Guide

11

EMC Corporation

2.4.5.2 Client Host SSL Control


When running on a platform where SSL is supported, a Solutions Enabler client defaults to only
use connections to servers if SSL can be used to secure the connection. On client hosts, there
are two options for allowing non-secure connections to servers that cannot (or are configured not
to) use SSL.

To allow non-secure connections with servers that are not able to use SSL, add the
following to the <SYMAPI_HOME>/config/options file:
SYMAPI_SERVER_SECURITY_LEVEL = ANY

To allow non-secure connections with specific server hosts, specify the NONSECURE or
ANY attribute in the <SYMAPI_HOME>/config/netcnfg entry for the server in question.
This file is used to map service names to server host names (or IP addresses) and port
numbers, usually for Solutions Enabler SYMCLI commands.
The format of records within this file is as follows:

<ServiceName>

TCPIP

<HostName>

<IP-Address>

<Port>

<SecurityLevel>

Where:
<ServiceName>

Service name by which the server is known. Typically,


this is the same value that the SYMCLI_CONNECT
environment variable uses for CLI commands.

<HostName>

Name of the host on which the server resides. Either


specify <HostName> or <IP-Address>.

<IP-Address>

IP address of the server. Either specify <HostName> or


<IP-Address>.

<Port>

Port number (default 2707) on which the server is


listening.

<SecurityLevel>

SECURE: Only accepts SSL connections.


NONSECURE: Only accepts non-SSL (non-secure)
connections.
ANY: Accepts both SSL and non-SSL connection.

2.4.5.3 Certificate Use


Solutions Enabler installs self-signed SSL certificates used, by default, on both client and server
hosts to secure SSL connections. For increased security, these default certificates can be deleted
and replaced with certificates you generate for your hosts.
By default, Solutions Enabler servers validate an SSL certificate that is sent from a client, if the
client has one to send. To require client certificates to always be sent and validated, add the
following to the <SYMAPI_HOME>/config/daemon_options file on a server host.
storsrvd:security_clt_secure_level = MUSTVERIFY

For additional information, refer to client/server security in the EMC Solutions Enabler Installation
Guide.

Solutions Enabler V7.3 Security Configuration Guide

12

EMC Corporation

2.4.6 SSL settings


The following table provides a summary of the SSL settings:
Option Name, possible values, and location
storsrvd:security_level =

SECURE |
NONSECURE |
ANY
<SYMAPI_HOME>/config/deamon_options

Description
On server hosts: Controls
whether servers will establish an
SSL secured connection.
SECURE (default): Secure SSL
connections are always used. All
other connection types are refused.
NONSECURE: Non-SSL
connection are used; secure SSL
connections are not used.
ANY: An SSL secured connection
is established when supported by
the client, otherwise a non-SSL
connection is used.

storsrvd:security_clt_secure_lvl =

MUSTVERIFY |
VERIFY |
NOVERIFY
<SYMAPI_HOME>/config/daemon_options

On server hosts: Controls how the


server validates client certificates.
MUSTVERIFY: The server requires
clients to send a valid certificate.
VERIFY (default): The server
verifies a clients certificate, if one
is sent.
NOVERIFY: The server does not
verify client certificates.
Note: This option is not supported
on z/OS hosts where it defaults to
NOVERIFY.

SYMAPI_SERVER_SECURITY_LEVEL= SECURE |
NONSECURE |
ANY
<SYMAPI_HOME>/config/options

On client hosts: Controls whether


clients establish a SSL secured
connection.
On server hosts: Controls
whether servers establish an SSL
secured connection, if the
security_level option in
daemon_options is not set (above).
This defaults to SECURE.

Solutions Enabler V7.3 Security Configuration Guide

13

EMC Corporation
2.5 Data security
Solutions Enabler maintains sensitive data in a number of files. It is important to back up and
protect these files. If they are lost, functionality that depends on the data that they contain may be
impacted.
File location

Description

<SYMAPI_HOME>/config/emcpwddb.dat

Stores connectivity informationincluding user


names and passwordsused to interact with
CLARiiON storage arrays and VMware/Hyper-V
Virtual Infrastructure Services.
It is managed via the symcfg
authorization SYMCLI command.
The file is encrypted to protect its contents and
prevent tampering.

<SYMAPI_HOME>/config/lockboxp
<SYMAPI_HOME>/config/lockboxb

These encrypted files (two copies: a primary


and backup) contain security keys including
encryption keys used by Solutions Enabler on
this host.
These files are encrypted to protect its contents
and prevent tampering.

<SYMAPI_HOME>/db/symapi_db.bin

This is the Solutions Enabler database file.


When managing CLARiiON arrays, connectivity
informationincluding user names and
passwordsmay be stored here if the user
performs actions requiring it. If present, these
passwords are encrypted to protect them and
prevent tampering.

Solutions Enabler V7.3 Security Configuration Guide

14

EMC Corporation
2.6 Other security considerations
2.6.1 Daemon processes on UNIX
Solutions Enabler uses a number of helper daemon processes: storapid, storsrmd,
storsrvd, storgnsd, storrdfd, storevntd, storwatchd. On UNIX, these daemons run as
root by default as a result of their executables being marked setuid-to-root.
The storsrvd, storgnsd, storevntd, and storwatchd daemons can optionally be
configured to run as an identity other than root. This can be set during Solutions Enabler
installation using the -daemonuid=Name option, which, when used with the -silent option
changes ownership of daemons to non-root user, or post-install using the stordaemon
command. For information on which daemons are affected by this option, refer to the
stordaemon man page. For example, the following command configures the GNS daemon to
run under the bin user account:
stordaemon setuser storgnsd -user bin
For example, the following command configures all daemons to run under the bin user account:
stordaemon setuser all -user bin
For additional information, refer to the stordaemon man page. Also refer to the
<SYMAPI_HOME>/config/README.daemon_users file that is installed with Solutions Enabler.

2.6.2 Securing Solutions Enabler configuration files


Solutions Enabler stores its configuration files in the following directory:
<SYMAPI_HOME>/config
That directory, and any files in it, should be protected such that only authorized Solutions Enabler
administrators have write access.

2.6.3 Running commands as a non-privileged user


Following an initial installation of Solutions Enabler, most SYMCLI commands must be run by root
(on UNIX) or an administrator (on Windows) user. To allow other users to execute these
commands (for example symcfg discover), you must grant them write access to the following
directories and their contents:
<SYMAPI_HOME>/config/db/
Non-root (or administrators, on Windows) users must similarly need to be authorized to explicitly
(via stordaemon) or implicitly (via ordinary commands) make use of the Solutions Enabler
daemons. This is done by adding an entry for the specific user in the file
<SYMAPI_HOME>/config/daemon_users. For example:
# Allow user 'jones' to make use of the storapid daemon:
jones
storapid
# A * character at the end of a name can be used
# as a simple wildcard. The following allows user 'jones'
# to make use of any of the Solutions Enabler daemons:
jones
stor*
For additional information, refer to the <SYMAPI_HOME>/config/README.daemon_users file
installed with Solutions Enabler.

Solutions Enabler V7.3 Security Configuration Guide

15

EMC Corporation

3 Secure deployment and usage


3.1 Guidelines for securely deploying Solutions Enabler

Protect the <SYMAPI_HOME>/config directory and its contents so that only appropriate
administrators have write access. [Section 2.6.2 on page 15]

If you will be running SYMCLI commands as a non-root user (non-administrator on


Windows), add those users to the daemon_users as appropriate. Also protect the
<SYMAPI_HOME>/db directory to grant them access. [Section 2.6.3 on page 15]

To limit the amount of disk space used by Solutions Enabler log files, arrange for these to
be cleaned up automatically after some period of time. [Section 2.3.2 on page 7]

Use Symmetrix Access Control and/or Symmetrix User Authorization to restrict which
hosts and users may perform management operations. [Section 2.2.2 on page 5]

3.1.1 Securely enabling client/server operations

If a Firewall or NAT router exists between client and server hosts, you may need to
configure specific ports and allow those to pass through. [Section 2.4.1 on page 8]

If you need to weaken or disable SSL protection of client/server communications


(perhaps due to the need to support platforms without SSL support), change the SSL
settings. [Section 2.4.5.1 on page 11, 2.4.5.2 on page 12, 2.4.6 on page 13]

For maximum network security, replace the self-signed SSL certificates that are installed
by default with ones appropriate and specific to your site.[Section 2.4.5.3 on page 12]

On server hosts:

Arrange for the storsrvd daemon to automatically start by the operating system.
[Section 2.4.4.1 on page 10]

If necessary, modify the port on which the storsrvd daemon listens. [Section
2.4.4.2 on page 10]

If you want to limit the set of client hosts that the server will accept connections
from, configure the nethost file. [Section 2.4.4.2 on page 10]

If you want to limit functionality that the server makes available to remote client
hosts, configure the specific options. [Section 2.4.4.3 on page 10, or for z/OS
section 2.4.4.4 on page 11]

UNIX only: Since the storsrvd daemon is network facing, consider having it run
as something other than root. [Section 2.6.3 on page 15]

On client hosts:
o

For SYMCLI users, modify the netcnfg file with the host names or IP addresses
of your servers. [Section 2.4.2 on page 9 and section 2.4.6 on page 12]

If using asynchronous events through the event daemon, modify the port on
which the client event daemon listens. [Section 2.4.1 on page 8, on page 9]

Solutions Enabler V7.3 Security Configuration Guide

16

EMC Corporation

4 Secure Maintenance
4.1 Backup of Solutions Enabler state
The following directories and their contents should be backed up to preserve the Solutions
Enabler configuration on a host.
<SYMAPI_HOME>/config
<SYMAPI_HOME>/db
The other directories under <SYMAPI_HOME> contain less critical data that will be recreated by
Solutions Enabler as necessary.

Solutions Enabler V7.3 Security Configuration Guide

17