AppSync 4.0 Security Configuration Guide

Dell EMC® AppSync®
Version 4.0
Security Configuration Guide

January 2020
Copyright © -2020 Dell Inc. or its subsidiaries. All rights reserved.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property
of their respective owners. Published in the USA.
Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com
2 Dell EMC® AppSync® Security Configuration Guide

CONTENTS
Tables 5
Preface 7
Chapter 1 Security configuration overview 9

AppSync security configuration overview..........................................................10
Logging into AppSync........................................................................................10
Logging out of the AppSync console ................................................................ 10
Chapter 2 Security Configuration settings 11

Introduction.......................................................................................................12
Access Control overview................................................................................... 12
Access control user roles and permissions............................................ 12
Console view changes with ACLs enabled.............................................13
ACL behavior with applications and databases..................................... 15
Add a user for Access Control Manager (ACL Manager) privileges.......17
Apply an Access Control List (ACL) to an application object................ 18
Set logging level and data expiration time..........................................................18
Communication security settings.......................................................................19
AppSync port requirements.................................................................. 19
Supported TLS versions....................................................................... 22
LDAP configuration ............................................................................. 23
Replace self signed certificate with CA certificate...............................25
Add AppSync host plug-in (inbound) firewall rule............................................. 26
Configure NginX for AppSync agent service..................................................... 27
Security alert system settings...........................................................................29
Setting expiration times for report data and alerts...............................29
Configure server settings for email alerts.............................................29
Other security settings..................................................................................... 30
User management ............................................................................... 30
User roles and their permissions.......................................................... 30
Add a user to AppSync......................................................................... 31
Add an LDAP user to AppSync............................................................. 32
Modifying a user ..................................................................................32
Reset the password for a user..............................................................33
Remove a user from AppSync.............................................................. 33
Change a user role in AppSync.............................................................33
Chapter 3 Physical security controls 35

Physical security controls................................................................................. 36
Dell EMC® AppSync® Security Configuration Guide 3

Contents

TABLES
1 Typographical conventions..................................................................................................7
2 User views from the Dashboard.........................................................................................13
3 User Views from the Service Plan Console........................................................................ 14
4 Data Admin Copy Management operations ....................................................................... 14
5 ACL behavior with SQL Server databases......................................................................... 15
6 ACL behavior with Exchange............................................................................................. 16
7 ACL rules for Oracle.......................................................................................................... 16
8 ACL rules for VMWare Datastores.....................................................................................16
9 ACL behavior with File systems ........................................................................................ 17
10 Port requirements............................................................................................................. 19
11 LDAP server settings........................................................................................................ 24
12 User settings.....................................................................................................................24
13 Roles and permissions.......................................................................................................30

Tables

Preface
As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its
software and hardware. Therefore, some functions described in this document might not be
supported by all versions of the software or hardware currently in use. The product release notes
provide the most up-to-date information on product features.
Contact your Dell EMC technical support professional if a product does not function properly or
does not function as described in this document.
Note: This document was accurate at publication time. Go to https://support.emc.com to
ensure that you are using the latest version of this document.
Purpose
This document is part of the AppSync documentation set, and includes security information.
Audience
This guide is intended for use by customers and service providers to install and configure AppSync.
Related documentation
The following publications provide additional information:
l AppSync User and Administration Guide
l AppSync Installation and Configuration Guide
l AppSync Release Notes
Special notice conventions used in this document
Dell EMC uses the following conventions for special notices:
DANGER Indicates a hazardous situation which, if not avoided, will result in death or serious
injury.
WARNING Indicates a hazardous situation which, if not avoided, could result in death or
serious injury.
CAUTION Indicates a hazardous situation which, if not avoided, could result in minor or
moderate injury.
NOTICE Addresses practices not related to personal injury.
Note: Presents information that is important, but not hazard-related.
Typographical conventions
Dell EMC uses the following type style conventions in this document:
Table 1 Typographical conventions
Bold Used for names of interface elements, such as names of windows,

dialog boxes, buttons, fields, tab names, key names, and menu paths
(what the user specifically selects or clicks)
Italic Used for full titles of publications referenced in text

Monospace Used for:

Preface
Table 1 Typographical conventions (continued)
l System code
l System output, such as an error message or script
l Pathnames, filenames, prompts, and syntax
l Commands and options
Monospace italic Used for variables

Monospace bold Used for user input
[] Square brackets enclose optional values
| Vertical bar indicates alternate selections - the bar means “or”

{} Braces enclose content that the user must specify, such as x or y or
z
... Ellipses indicate nonessential information omitted from the example
Where to get help

Dell EMC support, product, and licensing information can be obtained as follows:
Product information
For documentation, release notes, software updates, or information about Dell EMC products, go
to https://support.emc.com.
Technical support
Go to https://support.emc.com and click Service Center. You will see several options for
contacting Dell EMCTechnical Support. Note that to open a service request, you must have a valid
support agreement. Contact your Dell EMCsales representative for details about obtaining a valid
support agreement or with questions about your account.
Online communities
Visit https://community.emc.com/ for peer contacts, conversations, and content on product
support and solutions. Interactively engage online with customers, partners, and certified
professionals for all Dell EMC products.
Your comments
Your suggestions will help us continue to improve the accuracy, organization, and overall quality of
the user publications. Send your opinions of this document to techpubcomments@emc.com.

CHAPTER 1
Security configuration overview
This chapter includes the following topics:
l AppSync security configuration overview.............................................................................. 10

l Logging into AppSync............................................................................................................ 10
l Logging out of the AppSync console .....................................................................................10

Security configuration overview
AppSync security configuration overview

Review this section to get a basic understanding of the security configuration settings available in
AppSync.
Dell EMC employs a security strategy for AppSync that secures your information infrastructure
from potential internal and external threats.
Although the general public does not directly consume storage management software, this
software forms a critical part of an organization's information infrastructure, and must be
protected from abuse by internal or external adversaries. This document provides information on
how Dell EMC has built AppSync to meet this critical requirement.
Dell EMC protects customer data and respects the environments where Dell EMC products are
deployed. Credentials needed to access devices are securely stored. Only authorized users and
system components can access system resources. The Dell EMC security strategy can be
summarized in the following key features:
l Secure development of the product
l Product in the field has secure support
l Customer security controls and infrastructure are integrated in the product
l Only authorized users and system components can access system resources
l Standard ports to avoid forcing firewall reconfiguration
Logging into AppSync

Log in with the credentials supplied by your administrator, or use the default administrator account
name (default is admin) with the password that was created during AppSync server installation.
Depending on your security settings, you may be prompted to accept certificates for the following
AppSync server connections when logging in the first time:
l https://appsync_server:8444/cas-server/
l https://appsync_server:8445/appsync
You should permanently accept the certificates. For Internet Explorer, follow these steps:
1. Connect to the AppSync server.
2. When the following message appears: There is a problem with this website's
security certificate select Continue to this website (not recommended).
3. Click on Certificate Error at the right of the address bar and select View certificates.
4. Click on Install Certificate and then in the wizard, click Next.
5. Select Place all certificates in the following store.
6. Click Browse, select Trusted Root Certification Authorities, and then click OK.
Logging out of the AppSync console

Log out of the console to disconnect from the AppSync server and end the session.
Procedure
1. Click Log out at the top of the AppSync console.
Note that AppSync automatically logs out an idle user after one hour.

CHAPTER 2
Security Configuration settings
l Introduction........................................................................................................................... 12
l Access Control overview........................................................................................................12
l Set logging level and data expiration time.............................................................................. 18
l Communication security settings........................................................................................... 19
l Add AppSync host plug-in (inbound) firewall rule..................................................................26
l Configure NginX for AppSync agent service..........................................................................27
l Security alert system settings............................................................................................... 29
l Other security settings..........................................................................................................30

Introduction
This section provides an overview of the settings available in the product to ensure secure
operation of the product
Security settings are split into the following categories:
l Access control setting describes settings available to limit access by end-user or by external
product components.
l Communication security settings describe settings related to security for the product network
communications.
l Data security settings describe settings available to ensure protection of the data handled by
the product.
l Log settings describe settings related to the logging of events.
l Security alert system settings describe settings related to sending security alerts and
notifications for the security-related events.
l Other security considerations describe security settings that may not fall in one of the previous
sections.
Access Control overview

Learn how to use Access Control to manage user contact with all applications in AppSync.
Understand how to use an Access Control list (ACL) to restrict user-access to specific
applications.
When you create an ACL for an application, and then assign users to the access list, you grant
those users access to the application in AppSync. A user then can subscribe the application to a
service plan and perform various operations, such as view, generate, mount, unmount, and restore
copies.
Some applications have a parent/child relationship, for example, SQL Server Instance (parent) and
SQL Server databases (children). Child application objects inherit any ACL applied to the parent.
Access control user roles and permissions

Review ACL user roles and permissions including enabling users, restrictions on roles, and parent/
child ACL user rules.
Except for Service Plan Administrators and Data Administrators who have an ACL Manager Role
(assigned by a Service Administrator, only users who are listed on the ACL can access or view the
application on the AppSync console. Users with ACL access do not receive references to the
application, such as events and alerts.
The following list describes the roles and permissions for ACLs in AppSync:
l A Security Administrator enables the ACL Manager role to a Data Administrator.
l Data Administrators that are designated as ACL Managers can grant and revoke users from an
ACL.
l Resource Administrators and Security Administrators cannot access applications under ACL
control. They can, however, view report data generated from applications that they can
access.
l ACLs do not affect Service Plan Administrators, who can perform all operations allowed by this
role.

l Child application objects inherit any ACL applied to the parent. Review the following behavior
of the parent/child ACL model:
n When children are discovered they inherit the parent ACL.
n Users can be added to the ACL of a specific child.
n A child user can see the parent even if that user is not on the parent ACL. The child user
cannot perform any operations on the parent other than navigate (read-only access).
l Only Data Administrators who have the ACL Manager role have authority to grant or revoke
ACLs.
l Data Administrators without ACL Manager privilege can only view a service plans to
applications that they can access.
l Roles are cumulative. You gain all entitlements for each role to which you belong.
Console view changes with ACLs enabled

Learn how your view of the AppSync console changes when ACL lists are added to an application.
After a Data Administrator with ACL Manager privileges applies an ACL to an application, the Copy
Management page of the console displays an ACL Settings button. Only Data Administrators with
ACL management permissions can see this button. They are the only users who can create and
manage the ACL.
After an ACL is created for an application, access to the application on the console moves from all
users to the users designated in the ACL. Users who could view the application can no longer view
it on their console.
Dashboard views
The console Dashboard is the landing page for protected applications. It reflects data generated
from service plan runs against these applications. Consequently, the information displayed on the
dashboard derives only from applications to which you have access.
The following table lists content that you can view on the Dashboard, depending on your role.
Table 2 User views from the Dashboard
Role Dashboard view
Security Administrator No report data or alerts for any application

under ACL control.
Resource Administrator Same view as the Security Administrator.
Service Plan Administrator View all report data and all alerts. ACLs do not
affect the role.
Data Administrator plus ACL Manager role Same view as the Service Plan Administrator
user.
Data Administrator Your accessible applications display only

report calculations, alerts, and alert events.
Service plan views

Data Administrators can view the Service plans and its details. If a user is only a Data
Administrator, the system does not display the Events information. However, Data Administrators
with ACL Manager capability can see the events information.

Table 3 User Views from the Service Plan Console
Tab Affect
Subscriptions You see only the applications they are

authorized for.
Copies You see only those copies for applications you

are authorized for.
Events You cannot see any applications.
Copy Management views
The following table lists possible operations that a Data Administrator can perform from the Copy
Management tab of the console.
Table 4 Data Admin Copy Management operations
Operation Abbreviation Description
Run/Subscribe/Unsubscribe SUB Perform these copy

operations
Mount MNT Mount copy
Unmount UMNT Unmount copy: Occasionally,

you cannot execute unmount
operations when a previously-
run service plan protects
applications to which you
have no access. This scenario
triggers a 403 unauthorized
exception.
Expire EXP Expire copy: removes it from

the console
Restore RST Restore copy: Restore

operations can also result in a
403 unauthorized exception
when you run a restore
operation that affects other
applications that you cannot
access.
Repurpose RPP Repurpose the copy
Discover DSC Discover storage
Set Alerts ALTS Set reporting alerts
View/Navigate VIEW View and navigate in the

console

ACL behavior with applications and databases

ACL behavior can vary depending on the application database, file system or Datastore.
ACL behavior with the following applications is discussed:
l SQL Server databases
l Exchange
l Oracle databases
l VMware Datastores
l File systems
ACL behavior with SQL Server databases

Learn the ACL behavior when used with SQL Server databases including parent/child access and
allowed operations.
SQL Server has a unique user database node that allows ACLs. This affects you only if
you have access to a contained database that is also covered by a subscription to the
user database. Although you can view a database and its subscription, you might not
be able to run the plan if the database subscription was made at the user database
level.
This occurs because a service plan subscription at that level behaves differently. For
example, the run discovers and protects new databases and since those databases
inherit the parent ACLs, users that can run the parent service plan must also be
included in the SQL Server Instance ACL.
Table 5 ACL behavior with SQL Server databases
Application Parent Access Child Access Allowed Operations
SQL Server Instance Yes Yes SUB, ALTS, DSC
SQL Server Instance No Yes VIEW
SQL Server Instance No No NONE
SQL Server Database Yes Yes SUB, MNT, UMNT,

EXP, RST, DSC
SQL Server Database No Yes SUB, aMNT, UMNT,

EXP, RST
a. User cannot run the service plan subscribed at the "user databases" level.

ACL behavior with Exchange

The following table summarizes parent/child access and allowed operations when using an ACL
with Exchange.
Table 6 ACL behavior with Exchange
Application User with Parent User with Child Allowed Operations

Access Access
Exchange Server Yes Yes ALTS, DSC
Exchange Server No Yes View
Exchange Server No No None
Exchange Database Yes Yes SUB, MNT, UMNT,

EXP, RST, DSC
Exchange Database No Yes SUB, MNT, UMNT,

EXP, RST
ACL behavior with Oracle databases

Review this table to learn about ACL behavior with Oracle databases including user access and
allowed operations.
Table 7 ACL rules for Oracle
Application User Access Allowed Operations
Oracle Database ACL user Yes SUB, MNT, UMNT, EXP,

RST, RPP, DSC
Oracle Database without user No None

on ACL
ACL behavior with VMware Datastores

Learn about ACL behavior with VMware Datastores including parent/child access and allowed
operations.
The "Protected Virtual Machines" tab for datastores shows a protected VM only if the user can
access at least one Datastore associated with the VM. Because VM images have a one-to-many
relationship to Datastores, users need access to only one of the image's Datastores to access the
image. Otherwise, the user cannot view the image.
Table 8 ACL rules for VMWare Datastores
Application User Access Allowed operations
VM Datastores Yes SUB, MNT, UMNT, EXP,

RST,DSC
VM Datastores No NONE

ACL behavior with File systems

Learn about ACL behavior with File systems including host level access, parent/child access and
allowed operations.
With File systems, parent/child relationships behave differently than Exchange and SQL Server.
File system parent ACL (host level) refers only the collection of file systems on a host. The ACL is
not applied to the host and therefore does not prohibit operations a user can perform on a host.
Usage of parent -child refers to a file system ACL as a group without having to select individual file
systems.
Since ACLs are not applied to the host, Data Administrators can always view them, even if the
Data Administrator navigates to an empty page.
Table 9 ACL behavior with File systems
Application Host Level Access Child Access Allowed Operations
Host Level yes yes DSC
Host Level No yes VIEW,DSC,ALRT
Host Level No No VIEW
File system Yes Yes SUB, MNT, UMNT,

EXP, RST,DSC
File system No Yes SUB, MNT, UMNT,

EXP, RST,DSC
Add a user for Access Control Manager (ACL Manager) privileges

Learn how to assign a user and yourself as an ACL Manager.
Before you begin
AppSync requires the Security Administrator privilege to assign a user as an ACL Manager.
Procedure
1. Select Settings > User and Roles, and then click ADD.
2. In the User Authentication radio bullon, select Local, and then enter the user name,
password, and password confirmation.
3. To add an ACL Manger role to a user, select Data Administrator, and then click Enable
ACL Management.
ACL Managers must also be assigned the Data Administrator role.
4. To assign yourself as an ACL Manager, complete the following steps:
a. Log out.
b. Log in again.
c. Select Settings > User and Roles, select the role and then click CHANGE ROLE.
d. Click Enable ACL Management.

Apply an Access Control List (ACL) to an application object

Learn about privileges required, restrictions and steps to add users to an access control list for an
application object.
Before you begin
You must have a Data Administrator privilege with ACL Manager enabled to add users to an
application ACL.
Procedure
1. On the AppSync console, go to Copy Management.
2. Click Select View > Copies.
3. Click Select Application > Oracle / Microsoft SQL Server / File Systems / VMware
Datacenters / Microsoft Exchange.
4. Select a database or instance and click ACL SETTINGS to launch the ACL Settings page,
where you can specify user or group access to the desired application object.
The ACL Settings dialog box lists eligible users and users already assigned to an ACL.
5. Select the desired users (They have no check mark beside them.), select Enable ACL
Support, and then click APPLY.
Results
The ACL is applied to the desired object. If the ACL were applied to, for example, an SQL Server
database instance, that ACL will be propagated to the SQL Server database's child databases. If
you open the dialog box on the child database, it displays the inherited users applied to the parent
SQL Server instance. You cannot remove inherited users from a child ACL. However, you can add
new users to a child ACL.
Set logging level and data expiration time

Perform this procedure to control the size of AppSync server logs, their number, the severity of
messages that are logged, and set the expiration time for email and alerts data.
Before you begin
This operation requires the Resource Administrator role in AppSync.
About this task
Log files are stored in jboss\logs folder in the location where the AppSync server was installed.
This location cannot be changed.
Procedure
1. On the AppSync console, select Settings > Logs and Data Expiration.
2. In the Collect Logs from registered hosts section, configure the following options:
l Log retention(in days) - The default is 20.
l Timeout for logcollection(in minutes) - The default is 90.
3. In the Appsync Server Logs section, configure the following options:

l Log directory
l Log file rotation count - The default is 20.
l Maximum log size - File size ranges from 1 MB to 999 GB. The default is 20 MB.

l Logging level - The default is Normal.
4. In the Alerts and Report Data Expiration section, specify the amount of time to keep alerts
and report data in the following fields:
l Keep alerts for - specify a value and select the desired time period from the following
options:
n days
n weeks
n months
l Keep report generation data for - specify a value and select the desired time period
from the following options:
n days
n weeks
n months
5. Alternatively, you can click RESET ALL TO DEFAULT to restore the default values.
6. Click APPLY.
Communication security settings

Communication security settings enable the establishment of secure communication channels
between the product components as well as between product components and external systems
or components.
AppSync port requirements

Specific ports need to be open when a firewall is present for proper operation of AppSync.
Table 10 Port requirements
Source IP Destination IP Destination Port
AppSync Server Production or mount host running l 10004 (default)

AppSync Windows Host plug-in
Note: Pushing the AppSync
l 1024-49151 (valid
Host plug-in to a Windows range)
host requires CIFS access l Protocol: TCP
(TCP port 135 and TCP port
445) as Destination Port
VNX array l 80/443 (default)

l 2162/2163,
9998/9999
l Protocol: TCP to
Port
XtremIO Management Server l 443

(XMS)
l Protocol: TCP to
Port

Table 10 Port requirements (continued)
RecoverPoint appliance l 7225

l Protocol: TCP to
Port
LDAP Server l 389

l 636 (LDAPS)
l Protocol: TCP to
Port
SMI-S Provider l 5989

l Protocol: TCP to
Port
VMAX V2 l 5989
l Protocol: TCP to
Port
VMAX3/PowerMAX l 8443
l Protocol: HTTPs
Production or mount host running l 22 (SSH port

UNIX AppSync Host plug-in
l TCP
VPLEX l 443
l Protocol: https
VMware vCenter Server l 443 (default)

l Protocol: https
Unity l 443
l Protocol: TCP to
Port
RecoverPoint REST layer 4.1.1 l 443

and later
l Protocol: TCP to
Port
Production or mount host running AppSync Server l 10004, 135, and

AppSync Windows Host plug-in 445
l Protocol: TCP to
Port
Note: For log
collection, you
require SMB
access from the
AppSync server

to the AppSync
Windows host
plug-in.
User computer running AppSync AppSync Server HTTP/HTTPS Ports:

Console (UI) - Default
l 8085: This port is
Note: If you configured
used as an HTTP
different ports for the
port and works
AppSync server during
for REST.
installation, these ports can
change. l 8445: This port is
used as an
HTTPS port for
both GUI &
REST.
CAS Port:
as an HTTPS port
for CAS
authentication.
AppSync Server Internal Management and l 9999: This port is

Note: If you configured Postgres Ports used for VNX by
different ports for the Appsync, to
AppSync server during change the log-
installation, these ports can related setting.
change.
used by
Transaction
Manager (internal
to the AppSync
server).
used by
Transaction
Status Manager
(internal to the
AppSync server).
used for remote
EJB invocation
(internal to the
AppSync server).
used by the
internal JMS
messaging
service (internal

to the AppSync
server).
used by the
internal JMS
remoting service
(internal to the
AppSync server).
used for
communication
between
Postgres SQL
and the AppSync
server.
Protocol: TCP to Port
Production or mount host running AppSync Server l 22

UNIX AppSync Host plug-in Note: The
default SSH
port is 22.
However, you
can change
the default
port value.
l Port: TCP
l Protocol: SSH
Supported TLS versions

AppSync support for TLS while communicating with LDAP:
l AppSync releases prior to 3.9 support TLS v1.0 and v1.1
l AppSync release 3.9 and later, support TLS v1.1 and TLS v1.2
AppSync release 3.1 and later allows the AppSync server to communicate with windows agent host
plug-in via OpenSSL using Raw TCP, TLS1.0, and TLS 1.2. To enable the AppSync server to
communicate with windows host plug-in, set the CC_DEFAULT_TRANSPORT"="TLS" under
"[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\AppSync]". If both the AppSync server and the
AppSync windows host plug-in release versions are above 3.1, then all communication between
server and windows host plug-in will use TLS v1.2.
In addition, AppSync patch release 3.7.0.1 onwards, the AppSync windows host plug-in
communicates with SQL server using ODBC drivers with TLS v1.0 and v1.2. If the user has disabled
TLS v1.0 on windows host, the legacy "SQL Server" ODBC driver (available by default on windows
host) will not work.

In order to enable communication on TLS v1.2 only, you must install the latest Microsoft ODBC
Driver for SQL Server with qualified versions 11, 13, 13.1, and 17. You can specify your preferred
ODBC driver for connecting to SQL Instance using the following registry key:
[HKEY_LOCAL_MACHINE\SOFTWARE\EMC\AppSync]
"CC_SQL_SERVER_ODBC_DRIVER"="ODBC Driver 17 for
SQL Server"
For communication between AppSync server and Unix agent plug-in, JSCH 0.1.53 bundled with
AppSync Server and any OpenSSH version available on the agent host OS by default is used.
For communication between AppSync server and storage arrays, HTTPS is used along with TLS
v1.2. All REST requests or communications with the AppSync server use TLS v1.2.
LDAP configuration
For secure communications to occur between two networked entities such as AppSync and an
LDAP server, one entity must trust (that is, accept the certificate from) the other.
Networked entities that exchange data use certificates to authenticate each other.
When the certificate of an LDAP server is accepted or validated, AppSync records that certificate
as trusted. This ensures that AppSync trusts the LDAP server for subsequent connections.
You can choose to bypass certificate verification; however, you should do so only when you are
sure that AppSync is connecting to the correct LDAP server. If you bypass the certificate
verification process, AppSync cannot guarantee a secure connection with the LDAP server.
Note: OpenLDAP is not supported with AppSync.
For LDAPS, consider the following:

l The certificate file configuration property must reference a PEM formatted file, which includes
the following:
n End-entity or leaf certificate for the LDAP server
n All intermediate and root CA certificates required to build a full chain for the LDAP server, if
they are not sent from the server during the SSL/TLS handshake.
Note: Typically, servers reply with the end-entity and all intermediate CA certificates, but
might not send the root CA certificate. Populate the PEM file with the entire certificate
chain, including the CA certificate.
l LDAP Server name must be the same as the name in the certificate.
Setting up access to LDAP

Before you can add a user from LDAP, you need to set up access to an LDAP directory server.
Before you begin
This operation requires the Security Administrator role in AppSync.
Procedure
1. Select Settings > User Administration.
2. Select LDAP Settings.
3. Values are required for the LDAP server name, port, distinguished name, password, user
search path, and group search path. Refer to LDAP server settings
4. For the user settings, values are required for the user search path and group search path.
Refer to User settings.

5. Click Apply.
LDAP server settings

Specific settings are required to set up access to LDAP.
Table 11 LDAP server settings
Setting Description
Authority Name Fully-qualified domain name that represents the root of the LDAP
directory tree. Use a period-separated format similar to that used in
DNS. This is translated to X.509 format. For example, ldap.emc.com is
translated to the X.509 format dc=ldap,dc=emc,dc=com.
Note: The domain name must not contain special characters. Refer
to Refer to KB Article 90380 available on the Dell EMC Support
website. Additionally, exceptions to the special characters rule
contained in MicroTsoft Article 909264 "Naming conventions in
Active Directory for computers, domains, sites, and OUs " do not
apply as stated in this article and should not be used in host names.
One value only.
LDAP Server IP address, hostname, or FQDN of the primary directory server to use
for authentication. The value you specify depends on the format of the
subject field entry in the directory server's certificate; typically this
requires a hostname. One value only.
Port Port number used by the directory server for LDAP communications. By
default, LDAP uses port 389 and LDAPS uses port 636.
Use LDAPS Select this option to use LDAPS for securing communication.
Protocol
Distinguished Name Indicates the administrator user who has privileges to connect to LDAP
for authentication. The DN can be expressed in Down-Level Logon
Name, User Principle Name, or RDN format. For example, if the fully
qualified domain name is mycompany.com, the DN can be expressed as,
mycompany\administrator, administrator@mycompany.com or
cn=administrator,cn=users,dc=mycompany,dc=com.
Password Specify the account's password (the bind credential used to

authenticate the account).
Certificate File File containing the SSL certificate issued from the AD server, required
to enable SSL communications to the AD server.
Note: You must manually copy the certificate file to the AppSync
server.
User settings
Specific settings are required to set up access to LDAP.
Table 12 User settings
Setting Description
User ID Attribute Name of the LDAP attribute whose value indicates the user ID (for
example, sAMAccountName).

Table 12 User settings (continued)
Setting Description
User Object Class LDAP object class for users (for example, user in Active Directory).
User Search Path Path to search for users on the directory server, for example, cn=users,
dc=mycompany, dc=com
Note:
l LDAP users must be registered in AppSync.
Replace self signed certificate with CA certificate

AppSync ships with a self signed certificate. Do the following to replace a self signed certificate
with a certificate from CA.
Before you begin
You must have administrator privileges to execute the commands.
About this task
Note:
l <private-key > is the corresponding private key for the certificate that must be added
to AppSync.
l <certificate-file> is the CA Signed certificate that must be added to AppSync.
l <AppSync-installation> is the location where AppSync is installed. The default
location is C:\EMC\AppSync.
l <keystore-name> is the name of the keystore output that is generated from the
certificate and private-key.
l The default password for keystore is changeit.
Procedure
1. Stop the EMC AppSync Server service and the EMC AppSync Security Server service from
the Windows Services application.
2. Back up the following existing certificate and keystore files:
l <AppSync-installation>\jboss\standalone\configutation\cas.crt
l <AppSync-installation>\jboss\standalone\configutation\cas.jks
3. Convert the TPA certificate and private key into a keystore file using OpenSSL. You might
have to install OpenSSL, if you are a Windows user.
openssl pkcs12 -export -in <certificate-file> -inkey <private-key> -

name appsync -out <keystore-name>

4. From the command prompt, type the following command to delete the existing alias from
the AppSync keystore:
<AppSync-installation>\jboss\_jre\bin\keytool -delete -alias appsync -

keystore <AppSync-installation>\jboss\standalone\configuration\cas.jks
5. From the command prompt, type the following command to import the new keystore file to
the AppSync keystore:
<AppSync-installation>\jboss\_jre\bin\keytool -importkeystore -
deststorepass changeit -destkeypass changeit -destkeystore <AppSync-
installation>\jboss\standalone\configuration\cas.jks -srckeystore
<keystore-name> -srcstoretype PKCS12 -srcstorepass <source-keystore-
password> -alias appsync
6. From the command prompt, type the following command to import the new certificate to
the Java keystore:
<AppSync-installation>\jboss\_jre\bin\keytool -importcert -file

<certificate-file> -keystore <AppSync-installation>\jboss\_jre\lib
\security\cacerts -storepass changeit -alias appsync -noprompt
7. Start the EMC AppSync Security Server service and the EMC AppSync Server service.
8. If import fails, do the following:
a. Copy the backed up cas.crt and cas.jks files to the original location (<AppSync-
installation>\jboss\standalone\configuration).
b. Start the AppSync services.
Add AppSync host plug-in (inbound) firewall rule

Ensure that you enable firewall to prevent the AppSync agent host from being vulnerable to
remote DDOS attacks from unsolicited hosts.
About this task
To add or edit the firewall rule on a host where AppSync agent is installed, do the following:
Procedure
1. Click Start > Control Panel > System and Security > Windows Firewall.
The Windows Firewall window appears.
2. Check the network connections of the host.
3. Click Turn Windows Firewall on or off to ensure that firewall is enabled on all the networks
to which the host is connected. Click OK.
4. Click Advanced Settings.
The Windows Firewall with Advanced Security window appears.
5. Click Inbound Rules.
The inbound rules are listed.

6. Right-click the AppSync Host Plug-in (Inbound) rule, and select Properties.
The AppSync Host Plug-in (Inbound) Properties dialog appears.
7. Click Scope and select These IP addresses under Remote IP address.
8. Click Add to specify the AppSync server address.
Alternatively, you can use the command line interface to create your own AppSync host
plug-in (inbound) firewall rule.
For example, if the AppSync server IP address is 10.247.182.163 and the AppSync agent port
is 10004, type the following command:
netsh advfirewall firewall add rule name="AppSync Host Plug-in

(Inbound)" dir=in action=allow program="%ProgramFiles%\EMC\AppSync Host
Plug-in\AppSyncHostPlugin.exe" description="Allow incoming traffic to
AppSync Host Plug-in" enable=yes protocol=TCP localport=10004
remoteip=10.247.182.163
To modify an existing firewall rule, type the following command:
netsh advfirewall firewall set rule name="AppSync Host Plug-in

(Inbound)" new dir=in action=allow program="%ProgramFiles%\EMC\AppSync
Host Plug-in\AppSyncHostPlugin.exe" description="Allow incoming traffic
to AppSync Host Plug-in" enable=yes protocol=TCP localport=10004
remoteip=10.247.182.163
Configure NginX for AppSync agent service

Dell EMC recommends that you use the open source software, NginX as an additional measure to
further protect AppSync agent hosts from remote DDOS attacks.
Procedure
1. Go to the following location and install NginX for Windows: http://nginx.org/en/
download.html
2. Edit the configuration (nginx.conf) file.
3. Replace the content of nginx.conf with the following:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
stream {
upstream stream_backend {
server 127.0.0.1:10005;
}
server {
listen 10004;
proxy_pass stream_backend;
allow 10.247.172.240;
deny all;
}
}

In this scenario, the AppSync server IP address is 10.247.172.240 and the AppSync agent is
listening on port 10004. Stream is an NginX directive, and by default listens to the TCP
protocol. AppSync listens to AppSync agent port 10004, and redirects the request to
another free port (for example, 10005).
stream {
upstream stream_backend {
server 127.0.0.1:10005;
}
server {
listen 10004;
proxy_pass stream_backend;
You can use the NginX directive allow to specify the IP address of the AppSync server or
any other server that must contact port 10004. You can use the deny directive to deny
requests from all other machines.
4. After you modify the configuration (nginx.conf) file, open command prompt and navigate
to the NginX install location and type the following command to reload the NginX
configuration file:
nginx –s reload
5. Configure Windows Firewall to add NginX.

a. Click Start > Control Panel > System and Security > Windows Firewall.
b. Click Allow an app or features through Windows Firewall.
The Allow apps to communicate through Windows Firewall window appears.
c. Click Allow another app, and browse to the install location to add NginX.
d. Select the nginx.exe file and click Open.
e. Click Add.
The NginX application is added to the Windows firewall.
6. Configure the AppSync agent.
a. Update the AppSync agent with the port to which NginX redirects requests from the
AppSync server.
a. Run regedit.msc.
b. Go to HKEY_Local_Machine> Software> EMC> AppSync.
c. Modify the CC_DEFAULT_PORT key to the redirected port.
b. From the command prompt, type the following command to create a firewall rule to block
connections on port 10005 from other servers:
Netsh advfirewall firewall add rule name=”nginx(inbound)”

protocol=TCP dir=in localport=10005 action=block for Inbound rule
7. Restart the AppSync Agent Services.

Security alert system settings
Setting expiration times for report data and alerts

By default, alerts are deleted after 30 days. By default, data that is used in reports is deleted after
120 days. You can change these values under server settings.
Before you begin
Procedure
1. On the AppSync console, select Settings > Logs and Data Expiration.
2. In the Alerts and Report Data Expiration section, specify the amount of time to keep alerts
and report data in the following fields:
l Keep alerts for - specify a value and select the desired time period from the following
options:
n days
n weeks
n months
l Keep report generation data for - specify a value and select the desired time period
from the following options:
n days
n weeks
n months
3. Alternatively, you can click RESET ALL TO DEFAULT to restore the default values.
4. Click Apply.
Configure server settings for email alerts

Configure SMTP services on a machine that the AppSync server can access.
Before you begin
Refer to SMTP documentation for configuration procedures.
Procedure
1. Select Settings > Notification.
2. Under SMTP Settings, enter values for SMTP Server Host Name, SMTP Server Port,
Sender Email Address, and Recipient Email Address.
Note: License non-compliant alerts are sent to the specified recipient address.
To validate the settings, click SEND TEST EMAIL, enter the recipient's email address and
then click OK. The recipient's mailbox should receive a test email from AppSync.
3. Select Notify Service Plan Success to receive notifications on the successful completion
of service plans.
4. Select Notify For On Demand Success to receive notifications on the completion or failure
of on-demand jobs.

5. Click APPLY.
Other security settings

Get additional security settings that may not appear in previous sections of this guide.
These security considerations include:
l Managing user security
l Managing licensing
User management
You can set up AppSync to have multiple users. Each user can be assigned one or more roles that
correspond to their responsibilities and requirements.
You can create users that are local to AppSync, and optionally add LDAP users.
User roles and their permissions

Roles determine the operations that a user can perform.
A user can have multiple roles. Roles are accumulative, not hierarchical.
Table 13 Roles and permissions
Role Permissions
Security Administrator l Configure LDAP servers

l Add users
l Modify users, including changing other users' passwords
l Remove users
l Add roles to users
l Remove roles from users
l Assign an ACL (Access Control List) Manager role to a Data
Administrator
Resource Administrator l Add, modify or remove any type of storage array

l Add, modify or remove a RecoverPoint site
l Add a host; requires host credentials
l Modify or delete a host
l Add a vCenter Server
l Modify or delete a vCenter Server
l Obtain and upload licenses
l Modify server settings
Service Plan l Add service plan

Administrator
l Modify service plan (except overrides and selection of DAG
member server and DAG copy to be protected)
l Delete a service plan

Table 13 Roles and permissions (continued)
Role Permissions
l Run a service plan
Data Administrator l Configure applications on a host

l Discover application databases on a host
l Discover VMware datastores
l Subscribe data to a service plan
l Remove applications from a service plan subscription
l Specify override settings applications subscribed to a service
plan
l Select DAG member server and copy for protection
l Repurpose a copy
l Create a copy on demand
l Run a service plan on demand
l Mount a copy on demand
l Restore a copy on demand
ACL (Access Control l Assign an application to an ACL

List) Manager
l Grant and revoke users from an ACL
l Add new users to the ACL of a child.
l View applications under the ACL
l View report data for applications under the ACL
l Security Administrator enables the ACL Manager role to a Data
Administrator.
l Refer to the security guide for AppSync for full Access Control
information.
Add a user to AppSync

If you want to configure AppSync to have multiple users, you need to add them to the AppSync
server.
Before you begin
Procedure
1. On the AppSync console, select Settings > Users and Roles > ADD.
2. In User Authentication options select Local.
3. In the Local Authentication Settings region, specify values for the Username, Password,
and Confirm Password fields.
4. Select the roles that you want to assign to the user from the following choices in the Roles
table:

l Data Administrator
l Resource Administrator
l Security Administrator
l ServicePlan Administrator
If you want to assign an ACL Manger role to another user, select Data Administrator, and
then click Enable ACL Management. ACL Managers must also be assigned the Data
Administrator role.
Note: If you want to assign yourself as an ACL Manager, assign the Data Administrator
role first, log out and then log in again.
5. Click OK.
Add an LDAP user to AppSync

If you want to configure AppSync to have multiple users, you need to add them to the AppSync
server.
Before you begin
You must configure the LDAP server before you can create an LDAP user.
Procedure
1. On the AppSync console, select Settings > Users and Roles > Add.
2. In User Authentication options select LDAP.
3. In the Local Authentication Settings region, specify the name of the user in the LDAP User
field and click LOOKUP.
4. Select the roles that you want to assign to the user from the following choices in the Roles
table:
l Data Administrator
l Resource Administrator
l Security Administrator
l ServicePlan Administrator
If you want to assign an ACL Manger role to another user, select Data Administrator, and
then click Enable ACL Management. ACL Managers must also be assigned the Data
Administrator role.
Note: If you want to assign yourself as an ACL Manager, assign the Data Administrator
role first, log out and then log in again.
5. Click OK.
Modifying a user
You can add or remove a user and change a user's role and password.
Before you begin
Procedure
1. Select Settings > User and Roles.

2. Select the username to modify and choose an action from the available buttons: ADD,
REMOVE, RESET PASSWORD, or CHANGE ROLE.
If you want to change your role to enable the ACL Manager Role check Enable ACL
Management in the Change Role page. Also select the Data Administrator role as this role
is required to obtain ACL Manager permissions.
Reset the password for a user

You can change the password of a local AppSync user.
Before you begin
Procedure
1. On the AppSync console, select Settings > Users and Roles.
2. Select the user you want to modify and click RESET PASSWORD.
3. In the Reset Credentials window, specify the new password in the Password and Confirm
Password fields.
4. Click OK.
The user can no longer log in with the previous password.
Remove a user from AppSync

Removing a user removes the account from the AppSync database. Removing an LDAP user from
AppSync has no effect on the LDAP server.
Before you begin
Procedure
2. Select the user you want to remove and click REMOVE.
3. In the Confirmation window, click OK.
Change a user role in AppSync

Changing the roles assigned to a user changes the user's capabilities to manage data in AppSync.
Before you begin
Procedure
2. Select the user whose permissions you want to change and click CHANGE ROLE.
3. In the Change Roles page, select or deselect the roles that you want to apply to or remove
from the user.
4. Click UPDATE.
After you finish
Note: If you remove the Data Administrator Role from a user they no longer have rights for
ACL Management.


CHAPTER 3
Physical security controls
l Physical security controls......................................................................................................36


Since AppSync is a software product, no physical hardware controls are present. Always make
sure your physical databases, servers, network devices, and other components are physically
secured before installing your AppSync software.

AppSync 4.0 Security Configuration Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AppSync 4.0 Security Configuration Guide

Uploaded by

Copyright:

Available Formats

Dell EMC® AppSync®

Security Configuration Guide

2 Dell EMC® AppSync® Security Configuration Guide

Chapter 1 Security configuration overview 9

Chapter 2 Security Configuration settings 11

Chapter 3 Physical security controls 35

Dell EMC® AppSync® Security Configuration Guide 3

4 Dell EMC® AppSync® Security Configuration Guide

Dell EMC® AppSync® Security Configuration Guide 5

6 Dell EMC® AppSync® Security Configuration Guide

Note: Presents information that is important, but not hazard-related.

Table 1 Typographical conventions

Bold Used for names of interface elements, such as names of windows,

Italic Used for full titles of publications referenced in text

Dell EMC® AppSync® Security Configuration Guide 7

Table 1 Typographical conventions (continued)

Monospace italic Used for variables

[] Square brackets enclose optional values

| Vertical bar indicates alternate selections - the bar means “or”

... Ellipses indicate nonessential information omitted from the example

Where to get help

8 Dell EMC® AppSync® Security Configuration Guide

This chapter includes the following topics:

l AppSync security configuration overview.............................................................................. 10

Dell EMC® AppSync® Security Configuration Guide 9

AppSync security configuration overview

Logging into AppSync

Logging out of the AppSync console

10 Dell EMC® AppSync® Security Configuration Guide

This chapter includes the following topics:

Dell EMC® AppSync® Security Configuration Guide 11

Access Control overview

Access control user roles and permissions

12 Dell EMC® AppSync® Security Configuration Guide

Console view changes with ACLs enabled

Table 2 User views from the Dashboard

Role Dashboard view

Security Administrator No report data or alerts for any application

Resource Administrator Same view as the Security Administrator.

Data Administrator Your accessible applications display only

Service plan views

Dell EMC® AppSync® Security Configuration Guide 13

Table 3 User Views from the Service Plan Console

Subscriptions You see only the applications they are

Copies You see only those copies for applications you

Events You cannot see any applications.

Copy Management views

Table 4 Data Admin Copy Management operations

Operation Abbreviation Description

Run/Subscribe/Unsubscribe SUB Perform these copy

Mount MNT Mount copy

Unmount UMNT Unmount copy: Occasionally,

Expire EXP Expire copy: removes it from

Restore RST Restore copy: Restore

Repurpose RPP Repurpose the copy

Discover DSC Discover storage

Set Alerts ALTS Set reporting alerts

View/Navigate VIEW View and navigate in the

14 Dell EMC® AppSync® Security Configuration Guide

ACL behavior with applications and databases

ACL behavior with SQL Server databases

Table 5 ACL behavior with SQL Server databases

Application Parent Access Child Access Allowed Operations

SQL Server Instance Yes Yes SUB, ALTS, DSC