Rubrik CDM Version 7.0 Security Guide (Rev. A1)

Rubrik CDM Security Guide
Version 7.0
755-0198-01 A1
Rubrik Headquarters: Palo Alto, California 94304

1-844-4RUBRIK www.rubrik.com
Legal Notices
Copyright and trademarks

Copyright
Copyright © 2022 Rubrik Inc.

All rights reserved. This document may be used free of charge. Selling without prior written consent is
prohibited. Obtain permission before redistributing. In all cases, this copyright notice and disclaimer must
remain intact.
THE CONTENTS OF THIS DOCUMENT ARE PROVIDED "AS IS," AND COPYRIGHT HOLDERS MAKE NO
REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT,
OR TITLE; THAT THE CONTENTS OF THE DOCUMENT ARE SUITABLE FOR ANY PURPOSE; THAT THE
IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY PATENTS, COPYRIGHTS,
TRADEMARKS OR OTHER RIGHTS.
COPYRIGHT HOLDERS WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL OR CONSEQUENTIAL
DAMAGES ARISING OUT OF ANY USE OF THE DOCUMENT OR THE PERFORMANCE OR IMPLEMENTATION
OF THE CONTENTS THEREOF.
Trademarks
Registered in the U.S. Trademark Office

Rubrik, the Rubrik graphic, and Datos IO are registered trademarks of Rubrik, Inc. in the U.S. and other
countries. Additionally, Rubrik, Inc. holds common law trademark rights in Rubrik Polaris, Polaris GPS,
Polaris Radar, Polaris Sonar, Rubrik Envision, Rubrik Edge, and Mosaic in the U.S. and/or other countries.
All other trademarks are the property of their respective owners.
Legal Notices
Certain products and features, including Microsoft 365 Protection provided by Rubrik Polaris, are subject to
additional product-specific terms available at https://www.rubrik.com/en/legal.
By using the Rubrik Polaris Sonar application, you understand and acknowledge that Rubrik Polaris Sonar’s
pre-existing Policies and Analyzers contain general suggestions for data elements and formats based on
common data sets and formats. The suggested data elements and formats in Rubrik Polaris Sonar are not
intended to be a comprehensive or exhaustive list of data elements and formats regulated by the GDPR,
CCPA or any other applicable laws and regulations. We also do not guarantee that your Rubrik Polaris
Sonar search results will include every instance of each data element and format within your data set. We
Copyright and trademarks 04/28/2022 | ii

strongly recommend that you consult legal counsel for specific advice regarding compliance with applicable
laws and regulations.
Rubrik Polaris Sonar is designed to assist customers with identifying certain data elements and formats and
should not be solely relied upon to identify all data elements and formats of a certain type for any purpose,
including legal or compliance.
Use of the Polaris Management Console software is subject to additional product-specific terms available at
https://www.rubrik.com/en/legal.
Copyright and trademarks 04/28/2022 | iii

Preface
Welcome to Rubrik. We appreciate your interest in our products.
Rubrik is continually working to improve its products and regularly releases revisions and new versions.
Some information provided by this guide may not apply to a particular revision or version of a product.
Review the release notes for the product to see the most up-to-date information about that product.
Support
Use one of the following methods to contact Rubrik Support.
Web Rubrik Support Portal

Phone See Get In Touch for contact options.
Email support@rubrik.com
Revision History
Revision history for the Rubrik CDM Security Guide.
Table 1: Documentation revision history
Revision Date Description

Rev. A0 February 2022 General Availability release of Rubrik CDM version 7.0.
Rev. A1 April 2022 Clarified software encryption references.
Related documentation
Rubrik provides documentation that covers a broad range of related concepts, tasks, and reference
information.
• Rubrik Polaris User Guide
• Rubrik Polaris Radar Quick Start Guide
• Rubrik CDM Release Notes
• Rubrik CDM User Guide
• Rubrik CDM Install and Upgrade Guide
• Rubrik CDM Security Guide
Preface 04/28/2022 | iv
• Rubrik CDM Cloud Cluster Setup Guide
• Rubrik CDM Hardware Guide
• Rubrik CDM CLI Guide
• Rubrik CDM Events Guide
• Rubrik Edge Install and Upgrade Guide
• Rubrik Virtual Cluster Install Guide
• Rubrik Compatibility Matrix
Comments and suggestions

We welcome your comments and suggestions about our products and our product documentation.
Products
To provide comments and suggestions about our products contact Rubrik Support, as described in Support.
Product documentation
To provide comments and suggestions about the product documentation, please send your message by
email to: techpubs@rubrik.com.
Please include the following information about the product documentation to help us to find the content
that is the subject or your comments:
• Full title
• Part number
• Revision
• Relevant pages
Rubrik Build
Rubrik hosts community-based tools through the Rubrik Build program and associated GitHub repositories
for community-supplied tools.
Rubrik Build is an open source program that provides access to a growing community of enthusiasts and
experts across a number of languages and tools. Rubrik Build is used to create and improve projects that
simplify monitoring, testing, development, and automated workflows for Rubrik product deployments.
Rubrik Build includes the following resources:
• Software Development Kits
• Tooling Integrations
• Use Cases
• Community Projects
• Rubrik REST API documentation
Important: USE AT YOUR OWN RISK. Rubrik does not officially support the community tools. Carefully
investigate a community tool before using it. Always test a community tool on non-production data before
using the tool with production data.
Preface 04/28/2022 | v
Contents
Rubrik data security overview........................................................................................................8

Security features in Rubrik CDM.................................................................................................8
Rubrik CDM secure development lifecycle................................................................................... 9
Support tunnel authentication.................................................................................................... 9
Rubrik cluster accounts................................................................................................................. 10

Local account security best practices........................................................................................ 10
Domain account security best practices.....................................................................................12
Rubrik cluster default accounts.................................................................................................12
IPMI in the Rubrik cluster.............................................................................................. 13
Automation on a Rubrik cluster....................................................................................................18

Storing credentials securely...................................................................................................... 18
Access control................................................................................................................................ 19
User or group account roles.....................................................................................................19
Local authentication................................................................................................................. 19
Strong passwords.................................................................................................................... 20
Guidelines for choosing a strong password................................................................................21
The zxcvbn password strength checker.....................................................................................21
LDAP authentication................................................................................................................. 21
LDAP Credentials............................................................................................................22
LDAP Servers................................................................................................................. 22
Enabling multifactor authentication........................................................................................... 23
Access restrictions with authentication....................................................................................... 24

Authentication methods............................................................................................................24
Viewing authentication and authorization information.................................................................26
User and group information..................................................................................................... 26
Least privileged access.............................................................................................................26
Least privileged access for cloud archival.................................................................................. 27
User management with role-based access control......................................................................27
Basic session authentication..................................................................................................... 27
Generating a header for basic session authorization.........................................................28
Session token authentication.................................................................................................... 28
Secure API token architecture........................................................................................ 29
Generating an API token................................................................................................ 29
Testing a generated API token....................................................................................... 30
PowerShell SDK tokens.................................................................................................. 30
Deleting an expired API token........................................................................................32
API token rotation......................................................................................................... 32
Rubrik cluster audits..................................................................................................................... 34

Space allocation for log records................................................................................................34
The Rubrik cluster audit manager.............................................................................................35
User audit log..........................................................................................................................35
Auditing categories in the Rubrik cluster................................................................................... 36
Contents 04/28/2022 | vi
List of audited events in the Rubrik cluster............................................................................... 36
Certificate management in the Rubrik cluster............................................................................ 38

TLS certificate management..................................................................................................... 38
Disable TLS version 1.1........................................................................................................... 38
Importing a TLS certificate.......................................................................................................38
Using a new TLS certificate......................................................................................................39
Generating a CSR.................................................................................................................... 40
Encryption in the Rubrik cluster...................................................................................................41

Data in flight encryption.......................................................................................................... 41
Encryption of data at rest........................................................................................................ 42
Password encryption...................................................................................................... 42
Replication across clusters.............................................................................................. 42
Encrypted key management in the Rubrik cluster...................................................................... 42
Rotating key encrypting keys..........................................................................................43
Setting up a KMIP server............................................................................................... 43
Generating a certificate signing request.......................................................................... 44
Vormetric DSM integration..............................................................................................44
Data encryption at rest on Rubrik Briks.................................................................................... 46
Verifying the Rubrik cluster encryption status............................................................................ 46
Steps to harden a Rubrik cluster..................................................................................................48

System updates with the latest Rubrik security......................................................................... 48
Enabling the syslog server....................................................................................................... 48
Best practices for web session limits and inactivity timeouts.......................................................49
Configuring for active directory authentication...........................................................................49
Configuring the TLS protocol.................................................................................................... 50
Retention locks in the Rubrik cluster.........................................................................................50
Secure network time protocol configuration...............................................................................51
Security banner....................................................................................................................... 51
Setting the login banner text..........................................................................................51
Archive storage........................................................................................................................52
Archive storage and the principle of least privileged access........................................................ 52
Best practices for NFS and SMB security...................................................................................52
Harden the IPMI interface........................................................................................................53
Adding a new IPMI user................................................................................................ 53
Testing the IPMI interface.............................................................................................. 54
Disabling the IPMI ADMIN user...................................................................................... 55
Disabling the virtual media.............................................................................................55
Password management configuration........................................................................................ 56
Harden encryption................................................................................................................... 56
Verifying encryption on Rubrik cluster nodes................................................................... 56
Using a certificate signed by a trusted CA.......................................................................57
Generating a CSR signed by an arbitrary certificate authority............................................57
Signature matching verification for upgrades............................................................................. 57
Disable unused network ports.................................................................................................. 58
Hardening requirements for a high-security system................................................................... 58
Updating the value for a Web session timeout................................................................ 59
Verifying the Rubrik cluster uses UTC............................................................................. 60
Using DoD-approved certificate authorities...................................................................... 60
Displaying a DoD-approved banner................................................................................. 61
Configuring for an account of last resort.........................................................................61
Verifying successful logins are displayed in the log.......................................................... 61
Verifying an emergency account..................................................................................... 62
Contents 04/28/2022 | vii

Chapter 1
Rubrik data security overview
Rubrik data security overview
Security is an important part of any data management system.

When security is compromised, attackers can disrupt, steal, and destroy a company’s valuable data from
a company's data management system. Rubrik strives to protect its customers' valuable data by providing
data security features and best practices for securing Rubrik Cloud Data Management (CDM) and Rubrik
Polaris against unauthorized use.
Security features in Rubrik CDM

Rubrik CDM offers a comprehensive approach to security regardless of data location.
To ensure the privacy and safety of enterprise data, Rubrik clusters deploy a multilayered security
framework that consists of the following components:
• Data-at-rest encryption – Rubrik Cloud Data Management (CDM) encrypts all data at rest to protect
against physical breaches. For example, data will be secure even if a drive is stolen from a data center.
Rubrik CDM delivers both software (AES-256 encryption) and hardware (FIPS 140-2 Level 2 HDD and
SSD) encryption for data at rest.
• Data-in-flight encryption – Rubrik CDM encrypts all data before it leaves the system, ensuring secure
data archival in public or private cloud environments. Rubrik leverages client-side encryption libraries
supported by public cloud providers, and all archived data undergoes envelope encryption.
• Flexible key management – Rubrik CDM offers the flexibility to manage keys either with an internal
key manager using the trusted platform module (TPM) chip or an external key manager using the key
management interoperability protocol (KMIP).
In both cases, Rubrik facilitates security best practices by allowing users to easily execute a one-time
key rotation or automate recurring rotations. Rubrik key management also enables secure cluster
erasure to provide government agencies with added security.
• User authentication – Rubrik CDM reduces the risk of data breaches and cyberattacks by assigning
granular permissions for data access via single sign-on (SSO) and multiple options for multifactor
authentication, and supports native Time-Based, One Time Passwords (TOTP) for local and Lightweight
Directory Access Protocol (LDAP) authentication, RSA tokens, and external Security Assertion Markup
Language (SAML) compliant identity providers.
Rubrik CDM integrates with Microsoft Active Directory (AD) and non-Microsoft LDAP servers and
supports granting authorizations and creating groups from AD/LDAP. Rubrik clusters use role-based
access control (RBAC) to define the capabilities of authenticated users and API tokens for added layers
of security.
• Data integrity – Rubrik CDM provides data integrity against cyberattacks such as ransomware. No
external or internal operation can modify the data since the underlying backups are read-only.
Rubrik has also built the industry’s most comprehensive portfolio of government certifications and
accreditations across the hybrid cloud. Rubrik offerings are certified for the United States Department of
Defense Information Network Approved Products List (DoDIN APL) and EAL2+ of Common Criteria for
Information Technology Security Evaluation. Rubrik supports all major government infrastructure offerings,
including Google Cloud Platform (GCP), Microsoft Azure GovCloud, AWS GovCloud, and Commercial Cloud
Services (C2S).
Rubrik data security overview 04/28/2022 | 8

Rubrik CDM secure development lifecycle
Rubrik CDM employs a combination of network vulnerability scanning, static code analysis, and secure
code reviews to discover and address potential security vulnerabilities.
Each Rubrik CDM release is subjected to the process of finding security vulnerabilities. Depending on
the severity of the vulnerability found, appropriate patches are applied to the release. The frequency of
releasing the patches depends on the severity of the issue. Rubrik ensures the best effort to provide fixes
for critical vulnerabilities as soon as it is feasible.
Patches are presented through the Rubrik Support Portal (https://www.rubrik.com/support/). Access to
upload patches to the support portal is granted to the Rubrik Support Operations team.
All distributed binaries are signed by authorized personnel, and the upgrade process fails if the signatures
do not match. Patches are made available for download using the support portal and can be applied using
the Rubrik CDM command line interface (CLI). Each patch comes with release notes that explain the
vulnerabilities and includes information about the fixes.
Support tunnel authentication

The Rubrik support tunnel is a connection that provides Rubrik support with a secure method to remotely
access and diagnose a Rubrik cluster.
Support tunnels can be activated and opened only by a customer. Once opened, these support tunnels
have a configurable inactivity timeout, or the customer can close them manually.
On operating systems other than BrikOS or Linux, the node creates a reverse secure shell (SSH) port
forward to the support tunnel relay, which allows the node to open a support tunnel. The SSH traffic
travels over an HTTPS web socket connection on port 443.
When Rubrik Support connects to the Rubrik support tunnel, the support tunnel relay creates a pipe to the
port on the node that is listening over the SSH reverse port forward. This pipe establishes a second SSH
connection. This second SSH connection authenticates using an RSA private key specific to the customer
node. The RSA key is protected by a hardware security module (HSM) at Rubrik headquarters.
Rubrik data security overview 04/28/2022 | 9

Chapter 2
Rubrik cluster accounts
Rubrik cluster accounts
The Rubrik cluster uses local accounts, domain or external accounts, and accounts for API access.
Rubrik cluster acounts include local accounts, domain or external accounts, and accounts for API access.
Local accounts are local to the Rubrik CDM server and are maintained by the local administrator of these
applications. Domain or remote accounts are accounts in an external identity store, such as Microsoft
Active Directory (AD). Domain or remote accounts are maintained outside of Rubrik CDM and are granted
access to operate the application on an individual or group basis. API access is provided by either a local
account or a domain or remote account. Tokens can be used with API access to provide time-limited
access to Rubrik CDM.
Local account security best practices

There are a number of best practices for using local accounts in Rubrik CDM.
Best practices for Best practice explanation

local accounts
Strong and unique Passwords should be sufficiently complex to make it hard to guess or determine
passwords with a brute force attack. Generally, passwords should include a minimum of eight
characters, use upper and lower case letters, and have at least one number and
one special character. Rubrik CDM uses the zxcvbn library of Dropbox to prevent
using weak or easily guessed passwords in:
• Bootstrap and setting up the admin user
• Local users, including the admin user
• Archival locations (for example, NFS)
Rubrik recommends using machine-generated long passwords (32 characters or
more) for any administrative user. Enabling Prevent Password Reuse enforces
unique password use and prevents old passwords being reused. Password
requirements should be configured to enforce strong and unique passwords.
Password rotation Passwords should be changed every 30 to 90 days to minimize exposure time if a
password is compromised.
Unique passwords Each Rubrik cluster should have a unique set of passwords. This is very important
across Rubrik to secure any of the default users such as admin, and this prevents one
clusters or compromised set of credentials from being used across multiple systems.
instances
MFA on local Rubrik CDM supports multifactor authentication (MFA), allowing the Rubrik cluster
accounts to challenge users for an authentication token. This authentication token is
provided by an outside authenticator. MFA blocks access from an attacker if a user’s
credentials are compromised.
Rubrik cluster accounts 04/28/2022 | 10

local accounts
Default user If MFA cannot be implemented, the default user passwords, such as the one for
passwords the admin users, should be encrypted and sharded. Store the password shards
encrypted and separately. The true admin password should never be stored in one place. This
physically sharded prevents any of the users or user accounts and passwords from being compromised
and used to attack the system and provides protection against any single person
having complete access to the local admin account.
Credential storage Any local passwords and archival location credentials used to access Rubrik CDM
in a vault or key or an archive should be stored in a strong and secure vault or key store system.
store That vault system should be secured by industry and the vendor’s best practices.
Features such as MFA, encryption, and a secure location should be used in case the
vault is breached. This will prevent attackers from taking destructive actions against
Rubrik CDM and the archival location.
Separate primary The administrator level credentials for Rubrik or for any archival locations should
and secondary not be stored in the same vault or key store that is used for the primary systems
credential storage or for storage for archival locations. This limits the exposure to a single system if
an attacker gains access to one vault or key store. These independent credential
storage locations should also have separate credentials.
When possible, the same system administrators should not have access to both the
primary and secondary system credential stores. This can prevent attackers from
gaining administrative access to both the primary and secondary systems.
Auditing and By alerting and logging failed login attempts, administrators are notified of any
alerting enabled security breaches that are in progress. Preventative steps can then be taken to stop
for failed login any in-progress attacks.
attempts
Admin access as an Use of the admin login, or users with full admin privileges, should be restricted to
exception and not a only those operations that require admin-level access. Limiting the use of these
rule users reduces the chances of their credentials being intercepted and used by
attackers. Day-to-day administration should be done by users with the lowest level
of privileges required to perform their jobs.
For an additional layer of security, the admin user passwords should be shard and
stored separately so a single person does not have access to all of the shards,
providing a two-person authentication for administrative actions.
Local user account The Rubrik cluster can lock out local users for a period of time if too many failed
lockout settings login attempts are recorded. By default, this setting is disabled. Enabling this
enabled feature and configuring the settings appropriately prevents brute force attacks of
local user accounts. In addition, Rubrik CDM issues notifications to administrators
that an account has been locked out due to multiple failed attempts.
The Configuration section of the Rubrik CDM User Guide describes configuring the
local user account lockout settings.

Domain account security best practices
There are a number of best practices for using Domain or Remote accounts with Rubrik CDM.

domain accounts
Domain and remote These include taking manual backups, performing restores, running scripted
accounts for backups, and generating reports. Actions such as changing SLA retentions,
application or end expiring data, and removing archival locations should only be performed by local
user actions administrative accounts. This practice eliminates the possibility of credentials from
a compromised external identity store being used to disrupt Rubrik operations.
Domain accounts should be restricted by implementing proper role-based access
control (RBAC) on them.
RBAC requirements It is a best practice to identify each group of users that must access the Rubrik
aligned by need cluster, determine the minimum privileges required, and create RBAC policies that
align with these needs. These RBAC policies must be assigned to the individual or
groups of users based on their roles. These policies limit the scope of any breach of
domain credentials by limiting domain users to the specific areas and functions that
they need.
MFA for all domain If domain accounts will be used directly with the Rubrik cluster, multifactor
accounts authentication (MFA) should be configured. Enabling MFA for domain accounts
causes the Rubrik cluster to challenge the user for additional information from the
MFA system after supplying their username and password, providing an additional
layer of security if domain account credentials are compromised
Upstream MFA with MFA is enabled with the upstream single sign-on (SSO) provider when external
the SSO provider identity providers are used with Rubrik CDM configured for Security Assertion
with SAML Markup Language (SAML) integration, providing an additional layer of security if the
SSO credentials are compromised.
Target replication For Rubrik clusters participating in replication, the replication target cluster should
clusters not not be enrolled in the same Active Directory (AD) or Lightweight Directory Access
enrolled in Active Protocol (LDAP) domain as the source cluster. This protects the replicated Rubrik
Directory or LDAP cluster from compromised domain credentials being re-used to attack it. Instead,
the target replica Rubrik cluster should be secured using local accounts with
strong authentication, as recommended in Local account security best practices.
Alternatively, domain accounts from a separate AD or LDAP domain can be used
with the restrictions discussed in this topic. The separate AD or LDAP domain
cannot share the same credentials as the primary domain.
Rubrik cluster default accounts

The Rubrik cluster includes a number of default accounts.
Account name Description

IPMI user Intelligent Platform Management Interface (IPMI)
user with standard privileges.
IPMI admin IPMI user with administrator privileges.

Account name Description
rksupport The highest privileged system user account in the
Rubrik cluster.
Improper use of this account can render Rubrik
nodes, or the entire Rubrik cluster, unusable.
This account should be used only for specific
troubleshooting steps or system configuration
changes under Rubrik Support supervision.
Any use of the rksupport account other than
under the supervision of Rubrik Support is at the
customer's risk, and the customer is responsible
to pay for any services needed to repair damage
caused this use.
adminstaging Account with access to the staging directory for

copying the upgrade package to the cluster.
user default Various user accounts created for access to the
Rubrik cluster.
IPMI in the Rubrik cluster

The Rubrik cluster supports the Intelligent Platform Management Interface.
The Intelligent Platform Management Interface (IPMI) allows users to access nodes as if they have
physical access to the machines, which allows for a substantial level of hardware management. It is
important to keep the IPMI interface secure by changing the password from the default setting.
Rubrik IPMI functionality can be accessed by using by any of these methods:
• HTTPS connections on port 443
• IKVM (Java for .Net)
• Virtual Media (media in remote drives)
• SSH
The Web UI is used to control which of these external services can access IPMI functionality. For SSH,
Rubrik approves using the following command line utilities:
• ipmitool
This can be downloaded from http://openipmi.sourceforge.net.
• IPMIView
This can be downloaded from https://www.supermicro.com/products/nfo/SMS_IPMI.cfm.
Rubrik supports the following IPMI actions:
• Logging in and logging out as the default admin user.
• Viewing and exporting events from the IPMI event log.
• These events are distinct from the user events described in User audit log.
• Viewing sensor data.
• Performing power management actions: powering down, powering up, power cycle, resetting,
gracefully shutting down, cold reset, blinking the UID LED, and displaying power consumption.
• Changing the IPMI password.
• Enabling a serial-over-LAN text console.
• Enabling a KVM console.
• Taking readings on field-replaceable units.

IPMI security
IPMI security requires special considerations for usernames, passwords, and port numbers.
Using IPMI securely requires that the default username and password are secure and there are no
unnecessary services that can access IPMI ports.
IPMI should run on an isolated network.
The IPMI ADMIN's password changes to match the local admin user's password during the bootstrap. Long
local admin passwords are trimmed to a length of 20 characters to match the 20-character limitation of
IPMI password.. However, the actual Rubrik password a user inputs is unchanged.
The Rubrik cluster does not store changed passwords. The password must be re-entered after adding a
new node so the newly added node has same password.
Cassandra stores the service configuration, so newly added nodes have the same configuration as the
other nodes.
Rubrik cluster default port numbers

The Rubrik cluster includes a number of default port numbers for open services.
Service Port number

HTTP 80
HTTPS 443
IKVM 5900
VirtualMedia 623
SSH 22
WS_Management 5985
Configuring strong passwords for IPMI

Use the Rubrik CDM web UI to assign a strong password to the IPMI.
Context
The Rubrik node hardware includes a baseboard management controller (BMC) that can be used to
perform Intelligent Platform Management Interface (IPMI) tasks.
The Rubrik CDM web UI helps to assign a strong password and control access to the IPMI interface on all
nodes in the Rubrik cluster.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
3. Click IPMI Credentials.
The Configure IPMI page appears.
4. Select one of the following external services to access IPMI.
• HTTPS
• IKVM (Java for .Net)
5. Click Update.
6. Click IPMI Password.

The Update IPMI password page appears.
7. In Password, type a secure password.
The password can be from 5 to 16 extended ASCII printable characters. Secure the password in a safe
location.
8. In Re-Enter Password, type the password again.
9. Click Update.
Result
The Rubrik CDM web UI assigns a strong password and controls access to the IPMI interface on all nodes
in the Rubrik cluster.
Changing the IPMI admin user password from IPMIView

Add additional security by changing the IPMI admin user password with the IPMIView GUI.
Context
Perform these steps on all nodes of the Rubrik cluster.
Procedure
1. Download and install IPMIView utility.
The IPMIView utility is available at https://www.supermicro.com/products/nfo/SMS_IPMI.cfm.
2. Login to the Rubrik cluster node.
Connect to the Rubrik cluster node using the IPMIView utility with the user password, ADMIN.
3. Click the Users tab.
4. Click Change Password.
5. Type the new password and click OK.
Result
The IPMIView GUI changes the IPMI admin user password.
Changing the IPMI admin user password using ipmitool

Add additional security by using the ipmitool command line utility to change the password for the IPMI
admin user.
Context
Changing the password for the Intelligent Platform Management Interface (IPMI) admin user using the
ipmitool command line utility provides additional security. Linux computers must have LAN or IP access to
the same IPMI network to which the Rubrik IPMI ports are connected.
The ipmitool utility includes complete online syntax descriptions.
Perform these steps on all nodes of the Rubrik cluster.
Procedure
1. Connect to the Rubrik cluster node using SSH.
2. At the command line, type this:
ipmitool -I lanplus -H ipmitool -I lanplus -H Rubrik_IPMI_IP_address -U

ADMIN -P current_ADMIN_password user list
-U ADMIN -P current_ADMIN_password user list

The list of users should contain a single user, ADMIN, with an ID value of 2.
3. Enter and confirm the new password.
Result
The ipmitool changes the IPMI user password.
Changing the IPMI admin user password from the motherboard

Add additional security by using ipmitool on the motherboard to reset the password without accessing the
network.
Context
Perform these steps on all nodes of the Rubrik cluster to reset the password without accessing the
network.
The ipmitool utility includes complete online syntax descriptions.
Procedure
1. Login to the Rubrik cluster node.
2. Type this command to verify there is a single ADMIN user with an ID value of 2.
sudo ipmitool user list
The list of users should contain a single user, ADMIN, with an ID value of 2.
3. Type this command to reset the password
sudo ipmitool user set password 2 new_password
4. Enter the new password.
Result
The ipmitool changes the IPMI user password.
Replacing IPMI certificates for HTTPS access

IPMI has its own self-signed certificates that need to be replaced with properly signed (and trusted)
certificates. Certificates also need to be replaced if they have expired.
Context
Perform these steps to replaced the IPMI self-signed certificates with properly signed certificates.
Use the ipmitool to retrieve the IPMI address. The ipmitool utility includes complete online syntax
descriptions.
Procedure
1. Access the IPMI with HTTPS from the browser using this syntax:
https://IPMI_ADDRESS
2. Login to the site.

3. Click SSL Certification.
4. Browse to the certificate location.
5. Upload the private key and certificates.

Result
The certificates are replaced.

Chapter 3
Automation on a Rubrik cluster
Automation on a Rubrik cluster
Rubrik cluster includes automation for user accounts, authentication mechanisms, and storing credentials.
Each automation task includes a user account. This account should be assigned to a custom role that
provides only the privileges required to successfully execute the automation. The user account should not
have any data expiry or SLA change and deletion permissions. This ensures that any damage to the Rubrik
cluster is minimized if the credentials for the user account are compromised.
Token authentication is the preferred authentication mechanism for connecting to a Rubrik cluster.
Though Rubrik CDM API supports both basic and token authentication, token authentication is the
preferred authentication method. Token authentication is preferred when connecting to a Rubrik cluster
programmatically because a token can easily be deleted without affecting the user account if it is leaked or
comprised or is no longer needed. Token-based API authentication is mandatory for time-based one-time
password (TOTP) multifactor authentication (MFA).
Storing credentials securely

Caution needs to be practiced while storing Rubrik cluster credentials to prevent unauthorized use.
Storing credentials with caution prevents users from accidentally uploading the credentials to version
control software and ensures that a mechanism does not exist for an unauthorized user to find the
credentials.
Ideally, a strong and secure vault or key store system is preferred to access the Rubrik cluster credentials
dynamically. The secure vault or key store system should also regularly automatically rotate the API token.
Although not equally secure, credentials can also be stored as environment variables and can be accessed
dynamically when the automation task executes.
Automation on a Rubrik cluster 04/28/2022 | 18

Chapter 4
Access control
Access control
Access control guarantees that users are who they say they are and that they have the appropriate access
to company data.
The Rubrik cluster authenticates Rubrik cluster user accounts at login. Authentication verifies that the user
account is known to the Rubrik cluster and that the correct user account credentials were provided, or a
valid digital user certificate is used. After authentication, the Rubrik cluster uses the role and privileges
assigned to the user account to determine what actions are permitted during the session.
User or group account roles

Each user or group account has the administrator, end user, or no access role associated with it.
The Rubrik cluster enables a set of privileges for each role for the duration of a session on the Rubrik
cluster.
Role Privileges
Administrator Full access to all Rubrik operations on all objects.
End user Access to assigned objects and the ability to browse
snapshots, recover files, and perform live mounts.
No access Cannot log in to Rubrik web UI and cannot make
REST API calls.
A local user account is automatically assigned the no access role when it is first created. An administrator
must change this role to either an end user or administrator role to activate this account and grant a set of
privileges. Lightweight Directory Access Protocol (LDAP) directory accounts must also be activated before
they can access the Rubrik cluster.
The resources in a Rubrik cluster can be partitioned into independently managed collections known as
tenant organizations. Users in tenant organizations have privilege levels that are managed by users with
the organization admin role.
Local authentication
Local authentication methods control access to local accounts on the Rubrik cluster.
For local authentication, the Rubrik cluster stores each local user’s username in a database. The Rubrik
cluster uses that information along with the user’s password to authenticate a login. By default, the Rubrik
cluster requires passwords to be of at least eight characters. Rubrik clusters do not support passwords
longer than 1000 characters.
For local user accounts, a more stringent password strength checker is available, which is based on the
zxcvbn algorithm.
Access control 04/28/2022 | 19

Related Concepts
Strong passwords
If a Rubrik cluster has the zxcvbn password strength checker enabled, passwords for local users will be
checked against the zxcvbn criteria for a strong password.
Strong passwords
The zxcvbn algorithm estimates the strength of a password by measuring its entropy. Entropy is a measure
of randomness and unpredictability that indicates how difficult it is to guess a particular password.
Recognizable character patterns have low entropy and require very little computing power to guess.
Character strings that can only be guessed by trying every possible character combination have high
entropy and take much longer to guess.
Examples of passwords and character patterns that are easy to guess include:
• Single words that can be found in a dictionary.
• Common passwords, such as passw0rd, letmein, or abc123.
• Repeated characters, such as aaaa or 2222.
• Character sequences, such as abcd or 1234.
• L33t speak, where numbers and symbols are used in place of letters; for example, 3 for e, @ for a, and
$ for s.
• Spatial patterns, which correspond to adjacent keys on a keyboard, such as qwerty or ujm.
The zxcvbn algorithm parses a password and identifies distinct pattern segments that can be guessed by
different password guessing methods. The algorithm then calculates the entropy for each segment, and
correlates that to the time it would take to guess the pattern.
The following table shows the pattern matching methods used by the zxcvbn algorithm and the resulting
entropy calculations for the password Rom#16:22GreetYou. Where the algorithm cannot find a pattern
match for a particular segment, the pattern is listed as None.
Password segment Pattern Entropy

Rom Dictionary 11.513
# None 5.044
16 Regex 6.644
: None 5.044
22 Repeat 4.322
Greet Dictionary 13.337
You Dictionary 1
The entropy calculated for the entire password is the sum of the entropies for each segment plus the
configuration entropy. Configuration entropy refers to the additional entropy introduced by the number of
password segments and the way they are arranged.
Note: Passwords that would be considered strong by a traditional Lowercase Uppercase Digit Symbol
(LUDS) strength estimator might be rejected as too weak by zxcvbn.

Guidelines for choosing a strong password
When choosing a password, the goal is to make it difficult to guess but easy to remember.
The following characteristics make a password difficult to guess, but easy to remember:
• Long strings of dictionary words that are not commonly combined in a sequence, such as
CorrectHorseBreadStaple. Rubrik clusters do not support passwords longer than 1000 characters.
• Unexpected caPitalizAtion.
• Numbers at the beginning or middle of the password, or distributed throughout the password.
• A series of short keyboard patterns with lots of turns.
A turn corresponds to a change of direction on the keyboard from one character to the next. A turn can
also refer to the “gap” between pattern segments in the password.
The zxcvbn password strength checker

REST API commands can determine whether the zxcvbn password strength checker is in effect or if it
should be added for additional stringent password checking.
REST API commands can check the status of the zxcvbn password strength checker. The GET command
can determine if the Rubrik cluster is using the zxcvbn password strength checker to validate passwords.
GET /cluster/{id}/security/password/zxcvbn
The POST command can enable the zxcvbn password strength checker.
POST /cluster/{id}/security/password/zxcvbn
LDAP authentication
The Rubrik cluster uses LDAP to authenticate users who log in through the Rubrik CDM web UI welcome
screen.
The Rubrik cluster connects to one or more Lightweight Directory Access Protocol (LDAP) servers through
a service or bind account with read access. This account enables the Rubrik cluster to search information
about the user, such as email address and group membership. A base distinguished name (DN) will narrow
the search to a specific location within the LDAP directory tree. Search filters will identify specific groups or
users to further narrow the search.
The Rubrik CDM web UI requests LDAP server information in three stages:
• Credentials – Establishes the starting point of an LDAP directory search for a user who is trying to log in
to the Rubrik cluster.
• Servers, User and Group Settings – Servers require a list of one or more LDAP servers to search, and
user settings specify how Rubrik determines who is a user, and what attributes to use when mapping
users to the respective LDAP directory.
• Multifactor Authentication – Adds one or more factors to the basic authentication process, which
prevents unauthorized users from accessing the Rubrik cluster.
The Rubrik cluster uses the user management system to control authorization for authenticated users.
Related Concepts
LDAP Credentials

LDAP Credentials establish the starting point of an LDAP directory search for a user who is trying to log in
LDAP Servers
The Rubrik cluster requires a list of one or more LDAP servers for connection security.
Related Tasks
Enabling multifactor authentication
Configure multifactor authentication requirements for LDAP users.
LDAP Credentials
LDAP Credentials establish the starting point of an LDAP directory search for a user who is trying to log in
The Rubrik cluster uses the parameters shown in the following table to search for information about
an authenticated user in the Lightweight Directory Access Protocol (LDAP) directory structure and to
authenticate a user. The LDAP or Active Directory administrator can suggest the actual values to use.
Parameter Description
Name used by the Rubrik cluster when referring to this LDAP integration. Users can
Domain or enter this name for the Domain when logging in on the welcome screen. Domain
Domain Display Display Name can be an alias for the domain that is easier to remember than the full
Name domain name.
This information is no case sensitive.
Base DN Indicates where to begin searching within the LDAP tree. If not specified, the Rubrik
cluster will begin searching at the root (defaultNamingContext).
Bind DN or User with read privileges that can be used to search the LDAP directory to obtain
Username information such as group membership.
Password Password for the account entered as the Bind DN or Username.
CA Certificates A .PEM format X.509 certificate is used either to validate an explicitly chosen TLS-
capable LDAP server, or when the LDAP server offers support for StartTLS.
The Rubrik cluster supports multiple LDAP domains; however, when a user provides a Domain or Domain
Display Name in the login screen, only that domain is searched for the user’s credentials.
The Rubrik cluster uses the LDAP information for authentication on the local Rubrik cluster only. To enable
LDAP authentication on another Rubrik cluster, log in to that Rubrik cluster and provide the required
information.
When an LDAP server cannot be reached, the Rubrik cluster rejects logins that authenticate against that
server. Until an LDAP server becomes available, the Users and Groups page will not show authorization for
any LDAP users or groups associated with that server.
Note: Unlike the Rubrik web UI, the Rubrik REST API does not authenticate using the Domain Display
Name value. For LDAP authentication through the Rubrik REST API, the server searches through all LDAP
users in the Organization.
LDAP Servers
The Rubrik cluster requires a list of one or more LDAP servers for connection security.
Lightweight Directory Access Protocol (LDAP) servers can be specified in two ways:

• Dynamic DNS name
• IP or hostname along with the associated port for each LDAP server
The Rubrik cluster first tries to connect to an LDAP server. If LDAP servers are not specified, or if they
are not responsive, the Rubrik cluster next tries to discover Global Catalog servers that correspond to the
dynamic DNS name by resolving DNS SRV records for _gc._tcp.dynamic DNS name. If no Global
Catalog servers are found, the Rubrik cluster tries to resolve DNS SRV records for _ldap._tcp.dynamic
DNS name.
If the discovered servers are active on port 686 (for LDAP) or port 3269 (for Global Catalog), the Rubrik
cluster automatically chooses secure LDAP using Transport Layer Security (TLS). If the LDAP servers
support StartTLS, the Rubrik cluster automatically chooses StartTLS.
Note: If the field is empty, the Rubrik cluster is forced to connect using only the dynamic DNS name.
Enabling multifactor authentication

Configure multifactor authentication requirements for LDAP users.
Context
Lightweight Directory Access Protocol (LDAP) is configured per directory as part of the LDAP directory
configuration. Enforce LDAP globally by enabling Time-based One-time Password (TOTP) globally, which
applies to all LDAP and local users.
Procedure
1. (If at least one RSA SecurID server has been configured) Select the RSA SecurID server to use for
multifactor authentication.
2. Click Add.
Result
The LDAP users are configured for multifactor authentication.

Chapter 5
Access restrictions with authentication
Access restrictions with authentication
The Rubrik cluster provides local, LDAP and SAML/SSO authentication for Rubrik cluster user accounts.
Authentication restricts access to a specified set of users. Robust authentication prevents third parties from
representing themselves as legitimate users. Rubrik clusters support authentication with local usernames
and passwords as well as through Active Directory.
For local authentication, the Rubrik cluster validates the username and password typed in the login fields
against values in a database on the Rubrik cluster. the Rubrik cluster creates a session and assigns the role
and privileges of the user account to the session when the login information matches a user account in the
database.
For LDAP authentication, the Rubrik cluster determines whether to create a session by authenticating the
username and password typed in the login screen with an available LDAP directory server.
The Rubrik cluster attempts to authenticate the user account against the specified domain if a domain
or domain display name is specified during login. If the Rubrik cluster does not recognize the specified
domain, or if the user’s credentials are not valid for that domain, the login fails.
If the domain or domain display name field on the login screen is left empty, the Rubrik cluster searches
the local directory until it finds the username. If a match is not found in the local directory, the Rubrik
cluster searches all available LDAP domains. If a match is found, the Rubrik cluster assigns the role and
privileges of the user account to the session.
Most REST API endpoints accept Basic and Token (Bearer) types of authorization.
Authentication methods
The Rubrik cluster uses a variety of authentication methods.
This table describes the similarities and differences between the authentication methods.
Action performed Local account LDAP

What roles are available for • Administrator • Administrator
users? • No Access • User with custom roles
• No Access
Is the local admin account Yes The admin account is not created
created during installation? by the Rubrik cluster.
The admin user account has
the username ‘admin’ and the
Administrator role. The admin
user account cannot be deleted
or modified except to change the
password.
The password of the admin user
account in the Rubrik CDM web
Access restrictions with authentication 04/28/2022 | 24

UI matches the password of the
admin account in the Rubrik CLI.
Modified view for accounts with Rubrik cluster modifies the Rubrik Rubrik cluster modifies the
the end user role? CDM web UI view to show only RubrikCDM web UI view to show
the resources applicable to the only the resources applicable to
assigned privileges. the assigned privileges.
Display accounts with the No Yes No
Access role?
Performs group authentication? No Yes
Users log in using the credentials
of a user account who is a
member of the group. The Rubrik
cluster combines the privileges of
the user account for the session
with the privileges of all the
groups to which the user belongs.
Can the accounts delete other Yes No

accounts?
Requires the Administrator role. An administrator can change the
Once deleted, the account is role of an account to No Access
removed from the list of users to hide the account in the Rubrik
and groups CDM web UI, but the account
will not be deleted on the LDAP
server.
Can the accounts create new Yes No
accounts?
Users create new user account All group and user accounts must
by adding the usernames, email be activated before they can
addresses, and passwords. access the Rubrik cluster. The
UI allows searches for a group
After creating a new user
account or user account and
account, the account has a No
changes to the role to activate
Access default role.
the account.
Can the accounts change an Accounts with the Administrator Accounts with the Administrator
account role? role can change the role of role can change the role of
any other account, except the any other account, except the
local admin user account. If an local admin user account. If an
account’s role is changed to end account’s role is changed to an
user, at least one privilege must end user, at least one privilege
be assigned. must be assigned.
Can the accounts assign end user Requires Administrator role. Requires Administrator role.
privileges?
After creating an account, Change the user account role to
change the account role to assign assign privileges
privileges.
Can the accounts modify end user Requires Administrator role. Requires Administrator role.
privileges?

Can the accounts modify account Requires Administrator role. No
information? Changes to email addresses and
Account information is controlled
passwords are permitted.
through the LDAP directory.
Viewing authentication and authorization information

The Rubrik cluster provides authentication and authorization information for accounts on the Users and
Groups page.
Procedure
1. Log in to the Rubrik CDM web UI as an admin user or a user with the Administrator role.
3. Click Users.
Result
The Users and Groups page appears where you can view the authentication and authorization information
for accounts.
User and group information

The Users and Groups tab lists the local user accounts and the LDAP user and group accounts.
The Users and Groups tab lists the following information:
• Directory (either local or the name of the LDAP directory) where user credentials are stored
• Username
• Email
• Description
• Roles assigned to each account
• Status
The Rubrik cluster displays local user accounts with the no access role in the Rubrik CDM web UI. However,
the Rubrik cluster does not display LDAP user accounts with the no access role.
Least privileged access

Least privileged access is a practice to limit security risks and potential attacks.
The principle of least privileged access limits a user's freedom and scope of accessing production, remote,
and archival domains. This security practice assures that a single user does not have administrative rights
to all three domains. This also limits the security risk and exposure and limits the number of potential
attack vulnerabilities.

Least privileged access for cloud archival
Least privileged access is a practice that ensures security to cloud archival.
The principle of least privileged access ensures that, if the credentials are compromised for the archival
location, the attacker cannot access the entire cloud environment with the compromised credentials since
the user does not have the privileges required to move up to the more restricted levels of the system.
The Rubrik cluster allows access to the cloud archival location to users with the minimum privileges needed
for both write and read operations. This concept also applies to creating dedicated security principles for
individual buckets or archives.
User management with role-based access control

Rubrik supports role-based access control for the data protection plane and a cluster plane.
Leveraging role-based access control (RBAC) allows the Rubrik cluster to enforce the principle of least
privileged access, ensuring that end users work in the data plane with limited access, and administrators
work in the cluster plane.
Rubrik CDM includes templates for Custom Role and Infrastructure Admin, which can be customized to use
the required permissions for the roles on the system.
The Custom Role template defines access to data plane operations for managing protection, recovery, and
data source management.
The Infrastructure Admin role template defines privileges for working with the Rubrik cluster system but
denies backup, restore, and policy creation and deletion privileges from the role. Use the Infrastructure
Admin role to separate the infrastructure operations from data plane operations for scoping limited access
accounts.
The Rubrik cluster uses three roles to categorize user privileges: Administrator, End User, and No Access.
This table describes the privileges the Rubrik cluster enables based on the role of the user account that is
used to log in.
Role Privileges
Administrator role, including the read-only admin All privileges.
role and the infra admin role
End User role Specified privileges only. Included with versions of
Rubrik CDM earlier than 5.2.1.
No Access role No privileges and cannot start a web UI session.
After the initial cluster setup, assign roles to local or Active Directory user accounts according to the
privileges those user accounts require.
Basic session authentication

Basic authentication is a method for authorizing a session and sends a key-value pair in the request header
that contains the credentials necessary to use a RESTful method.
Basic authentication is a simple method for authorizing a session and is often used for short-lived and ad-
hoc requests. For example, a monitoring solution that is infrequently gathering data from an API resource
will often use basic authentication to gather the needed data. Additionally, you may wish to retrieve some

administrative cluster information - such as the cluster status or network topology - to answer an ad-hoc
question from a colleague.
This is similar in nature to sending a username and password to authenticate against any other session-
based request; the server checks to ensure that you, the user, have the appropriate permissions and role
required to access the desired resources.
Generating a header for basic session authorization

You can generate a header for basic session authorization.
Procedure
1. Encode the string “{username}:{password}” using Base64.
Where {username} is the actual username and {password} is the actual password. The colon between
username and password is important, even if there is no password.
In this example, the username is “SpongeBob” and the password is “SquarePants”.
“SpongeBob:SquarePants” is the plain text string

“U3BvbmdlQm9iOlNxdWFyZVBhbnRzCg” is the base64 encoded string
2. Prefix this string with the word Basic, resulting in “Basic {base64_value}”.
“Basic U3BvbmdlQm9iOlNxdWFyZVBhbnRzCg”
Result
A header key of Authorization is created, storing the previous in the value.
“Authorization: Basic U3BvbmdlQm9iOlNxdWFyZVBhbnRzCg”
Session token authentication

Token authentication is a popular method for managing session authorization, especially across public
cloud services.
Compared with more basic authentication methods, token authentication is more manageable and passes
stricter security requirements for tooling and configuration management.
Instead of using the credentials of a user, a token is used to represent the session of that user. The
user’s permissions, role, and scope remain tied to the user account itself with the token being used for
authentication purposes. These are helpful for services that need to programmatically call upon the API
and can be invalidated if leaked, breached, or no longer needed without adversely affecting the user
account.
The Rubrik cluster uses the concept of an API Token to map to the token authentication model for tasks
such as automated workflows, script authentication, and multifactor authentication (MFA).
The header value for an API Token looks similar to the basic authentication, except that the word Basic is
replaced with
Bearer” and the value used is the API Token, not a base64 encoded username and password. For example:
Authorization: Bearer joiN2NiNGIyN

Secure API token architecture
Sessions and API tokens are globally available from any node within the Rubrik cluster and can survive
node failures, restarts, and upgrades
The Rubrik cluster maintains session details in a distributed session table to make the tokens globally
available. This table holds the userId as the partition key and the token as the clustering key. Tokens are
generated with JSON web tokens (JWT), an open standard (RFC 7519) that defines a compact and self-
contained way for securely transmitting information between parties as a JSON object. The tokens are
digitally signed using HMAC-SHA256 algorithm.
• SHA-256 is a cryptographic hash function that generates a 256-bit hash for text.
• Hash-based Message Authentication Code (HMAC) is a piece of information used to authenticate a
message, confirming the integrity and authenticity of the message.
When a token expires, it is deleted. Expired tokens are deleted and not archived because it is a more
logical action for tokens that are meant to be transient. Sessions may be created and deleted in high
frequency for this same reason.
Rubrik’s API tokens have additional layers of security applied to them, such as following a “View On
Create” philosophy that ensures the token value is only visible when creating it. Once created, the only
possible future action is to delete the token.
The following requests are not available to API tokens for enhanced security:
• Updating or deleting any multifactor authentication (MFA) servers.
• Creating new sessions or generating additional API tokens.
• Creating new user accounts or updating user account information.
• Updating user preferences.
• Creating, updating, or deleting Lightweight Directory Access Protocol (LDAP) services
Generating an API token

Generate an API token for use in REST API scripts that run on the Rubrik cluster.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Open the User account menu and select API Token Manager.
The API Token Manager dialog box appears.
3. Click the plus icon at the top right of the dialog box.
The Generate API Token dialog box appears.
4. In Duration, type the number of days the token will be valid.
The default duration is 30 days.
5. In Tag, enter a name to distinguish this token from other tokens.
If no tag name is entered, the tag name will appear as API Token in the list of tokens.
6. Click Generate.
The Copy API Token dialog box appears.
7. Click Copy and store the API token for future use.
Result
The display shows a list of API token IDs along with the associated token tag names, expiration dates, and
last activity.

Testing a generated API token
Test a generated API token in the Rubrik API playground.
Context
These steps require an API token. See Generating an API token to create the API token.
Procedure
1. Open https://RubrikCluster/docs/internal/playground/
Where RubrikCluster is the resolvable hostname or IP address of the Rubrik cluster.
The Rubrik REST API Explorer appears.
2. Click Authorize.
The Available authorizations dialog box appears.
3. Paste the API Token in the Bearer section of the dialog box.
4. Click Authorize.
The Rubrik REST API Explorer opens a session and stores the session token.
Result
The authorized API token remains in place until it reaches the expiration date and time. The token is
invalidated after expiration.
Using a token for authorization changes the header construction slightly. The key remains Authorization,
but the value changes to using the word Bearer followed by the token.
For example, this token includes the word Bearer followed by the token joiN2NiNGIyN:
Authorization: Bearer joiN2NiNGIyN
PowerShell SDK tokens

The Rubrik cluster uses an API Token to map to the token authentication model for automated workflows,
script authentication, and multifactor Authentication (MFA).
The New-RubrikAPIToken command generates an API token that adheres to the expiration and tagging
requirements. The Rubrik cluster has a limit for the number of active tokens that can be concurrently
valid. Token generation should be performed as part of the token lifecycle management security process to
rotate in fresh tokens.
Generating a new token with PowerShell SDK

Request a new token using an automated workflow and the PowerShell SDK for Rubrik.
Prerequisites
If the Rubrik cluster has Time-based One-time Password (TOTP) enabled, tokens must be generated using
the Rubrik CDM web UI. They cannot be generated using PowerShell SDK or API.
Procedure
1. Log in to the PowerShell SDK.
2. At the PowerShell SDK prompt, type the New-RubrikAPIToken command.

This example requests a new API token ("joiN2NiNGIyN") to use with a serverless function running
on AWS Lambda in US West 1 (N. California). The PowerShell function is sending a POST request to /
session using the current session information. This example is truncated for brevity.
New-RubrikAPIToken -Expiration 600 -Tag ‘aws-us-west-1-lambda’

Id : 7cb4b25c
organizationId : Organization:::b6c0d1d1
userId : 30047f2a
Token : joiN2NiNGIyN
expiration : 2019-06-26 20:05:28
Tag : aws-us-west-1-lambda
An API request is being sent using the session information to generate a new API token. The payload
of the body is:
Body = {
“initParams”: {
“apiToken”: {
“tag”: “aws-us-west-1-lambda”,
“expiration”: 600
}
}
}
3. Send a GET request to /session with a query parameter containing a user ID value to receive a list
of API tokens.
Alternatively, issue the Get-RubrikAPIToken PowerShell function to retrieve all known tokens
based on the user ID of the current session.
Result
The PowerShell SDK generates a new token.
Using API tokens with the Rubrik Powershell SDK

Include the token parameter to use the API token with the PowerShell SDK for the Rubrik cluster.
Procedure
Connect to the Rubrik cluster using the API token.
Type the Connect-Rubik command.
This example connects to the Rubrik cluster at 192.168.1.124 and uses the token parameter
"joiN2NiNGIyN".
Connect-Rubrik -Server 192.168.1.124 -Token joiN2NiNGIyN

Name Value
---- -----
Time 2019-06-26 14:40:06
Api 1
Server 192.168.1.124
Header {Authorization, User-Agent}
Id null
userId null
Version 5.0.0
Result
The Rubrik cluster returns a unique token that represents the user’s credentials. This token is used to
execute subsequent API requests with the PowerShell SDK.

Deleting a token with Powershell SDK
Use the PowerShell SDK to remove a token from the Rubrik cluster.
Procedure
1. Connect to the Rubrik cluster using the API token.
2. Type the Remove-RubrikAPIToken command to accept the token ID value as the only parameter.
This example specifies token 7cb4b25c.
Remove-RubrikAPIToken -TokenId ‘7cb4b25c’

Confirm
Are you sure you want to perform this action?
Performing the operation “Deletes session tokens” on target “7cb4b25c”.
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default
is “Y”): y
3. Optional: Use the -Force parameter to delete the token without confirmation. Include quotes and
commas to delete multiple tokens in a single command.
This is the syntax for multiple token IDs.
Remove-RubrikAPIToken -TokenId
("token1","token2")
Deleting an expired API token

API tokens can be deleted they expire and can be replaced with a new token.
Context
Delete an expired API token so that it cannot be used in REST API calls to the Rubrik cluster.
Note: Use caution when deleting an API token. Once the token is deleted, all REST API calls that use that
token will fail.
Procedure
2. Open the account menu in the upper right corner and select API Token Manager.
The API Token Manager dialog box appears.
3. Open the ellipsis menu next to the API token to be deleted and select Delete.
The Delete API Token dialog box appears with a warning message about the consequences of deleting
the token.
4. Click Delete.
Result
The API token is removed from the list of API tokens.
API token rotation

Production environments can benefit from shorter lived tokens that live in a secure vault and are rotated
on a regular basis, such as weekly or monthly.
Rotated tokens can also be issued to colleagues who need access for a limited period of time, such as
power users, contractors, or a project team.

In general, it is best if:
• It is best to use short lived tokens and store them secure storage like AWS KMS, HashiCorp Vault,
secured variables in AppVeyor and Azure Automation.
• The code references tokens from the secure storage locations. Do not use a hard coded value that is
not easily rotated.
• New token should be generated prior to the expiration of the old token using the PowerShell SDK for
Rubrik, a direct call to the RESTful API (such as Invoke-RestMethod or curl), or any other trigger-based
workflow that can hit an API endpoint as the user or service account that is represented by the token.
Making a habit of using tokens for automation increases security awareness, reduce reliance on user
credentials, and aids a transition into a more service-oriented architecture approach.

Chapter 6
Rubrik cluster audits
Rubrik cluster audits
Auditing provides a persistent record of actions performed by Rubrik cluster users, and can be used to
analyze user behavior and reconstruct a chain of events.
Rubrik clusters keep a log of events in an internal database. This event log can be viewed in the Rubrik
CDM web UI.
An audit trail is a record of user-initiated actions in a Rubrik cluster environment. Essentially, auditing
gathers the information to keep a record of who changed what and when.
User events are logged in the Rubrik activity log, along with all other cluster activities. Activity log
messages describe the current state of tasks on the local Rubrik cluster and furnish information about
every task that is started on the local Rubrik cluster over the past 90 days. Filtering the activity log to
display user events reconstructs a set of user activities.
At the application layer, the syslog transmissions use the HTTP protocol. Configuring syslog export rules
with TLS encrypts in-flight data sent to an external syslog server. The Rubrik cluster uses the standard
syslog protocol to format and transmit system notifications. The Rubrik cluster sets the syslog standard
protocol and port (UDP/514) at the transport layer by default. The transport layer protocol and port can be
configured to use custom settings.
The Rubrik cluster sends server messages to the syslog server according to how the facility or severity
levels are configured. The facility level represents the machine process that created the syslog event,
including general system processes such as the kernel, user operations, mail, and facilities for Rubrik-
specific logs. The severity level determines how severe the message is displayed in syslogs. The levels are
critical, warning, or informational.
Space allocation for log records

The Rubrik cluster maintains a considerable amount of storage within its architecture, including space for
log records.
The Rubrik cluster must have sufficient log storage allocated for the audit records. The Rubrik cluster
is capable of granular level auditing of all actions taken on the product, and can generate audit records
containing information that establishes what type of event occurred, when the event occurred, where the
event occurred, the source of the event, the outcome of the event, and the identity of any individuals or
subjects associated with the event.
Customers should allocate enough of storage to successfully collect and retain sufficient amounts of audit
log data without running out of available storage. The amount of storage required is based upon the
number of audit logs recorded that are required, coupled with the retention requirements along with the
centralized audit log retention policy enabled by syslog.
Rubrik cluster audits 04/28/2022 | 34

The Rubrik cluster audit manager
The Audit Manager provides the mechanism to query and report on auditing information.
The Audit Manager runs on each node of the Rubrik cluster. Administrators can search the Audit Manager
for information based on when an action occurred, the actions performed by a specific user, the actions
performed in a specific content area, or changes to the audit configuration.
Auditing is enabled by default. This table described the Rubrik cluster user-initiated actions that are
recorded and available to view with the nbauditreport command or with the Veritas Rubrik CDM
OpsCenter.
Entity Action audited

User accounts Adding, deleting, or modifying user or user attributes
Policies Adding, deleting, or updating policy attributes, clients,
schedules, and backup selections lists
Activity monitor Canceling, suspending, resuming, restarting, or deleting any
type of job creates an audit record
Storage units Adding, deleting, or updating storage units
Storage servers Adding, deleting, or updating storage servers
Host properties Updating host properties
Restore job Initiation of a restore job.
This is the only job type for which the initiation is audited. For
example, audit records are not created when a backup job
begins.
User audit log

User events are maintained in the audit log.
The audit log includes these events:
• Successful logins
• Successful logouts
• User session timeouts (detected when next REST API request fails)
• Authentication failures:
• Invalid usernames
• Invalid or expired passwords
• Authorization failures:
• No authorizations on the selected organization
• No authorizations on any organization
Successful login events are only generated when each new session is created. Additional REST API
requests using valid session credentials do not generate successful login audit messages. This is done to
avoid generating many successful login audit messages with questionable informational value.
Because invalid user names cannot be associated with a particular organization, invalid username audit
events are only visible to users with the administrator Role-Based Access Control (RBAC) role.

The Rubrik cluster includes considerable storage. However, log storage allocation is the responsibility of
the customer. Enough storage should be allocated to successfully collect and retain enough audit log data
without running out of available storage. The amount of storage should accommodate the amount of audit
logs recorded, the retention requirements, and the centralized audit log retention policy enabled by syslog.
Auditing categories in the Rubrik cluster

Auditing Rubrik cluster operations can help provide information in several categories.
This table describes the auditing categories.
Audit category Description

General tracking Provides insight from audit trails while investigating
unexpected changes in a Rubrik CDM environment.
For example, adding a client or a backup path can
cause a significant increase in backup times. The
audit report can indicate that an adjustment to a
schedule or to a storage unit configuration might be
necessary to accommodate the policy change.
Regulatory compliance Creates a record of users who have initiated a

change, what was changed, and when it was
changed. The record complies with guidelines such
as those required by the Sarbanes-Oxley Act (SOX).
Corporate change management Offers a method to adhere to internal change
management policies.
Troubleshooting Helps Rubrik Support to troubleshoot problems for
customers.
List of audited events in the Rubrik cluster

Rubrik cluster events are observable occurrences in an organizational information system. Any event can
be audited.
It is best to select events for auditing that are significant and relevant to the security of information
systems and the environments in which those systems operate to meet specific and ongoing audit needs.
For example, audit events can include password changes, failed logons, or failed accesses related to
information systems, administrative privilege usage, personal identity verification (PIV) credential usage, or
third-party credential usage.
Considering the auditing appropriate for each of the security controls to be implemented helps determine
the set of auditable events. Identify the subset of auditable events that are audited at a given point in time
to balance the auditing requirements with other information system needs. For example, a company may
determine that information systems must have the capability to log every file access both successful and
unsuccessful, but not activate that capability except for specific circumstances due to the potential burden
on system performance.
Other security controls and control enhancements may refer to auditing requirements, including the need
for auditable events. Organizations also include auditable events that are required by applicable federal
laws, executive orders, directives, policies, regulations, and standards. Audit records can be generated at
various levels of abstraction, including the packet level, as information traverses the network.

Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can facilitate the
identification of root causes to problems. Organizations consider in the definition of auditable events, the
auditing necessary to cover related events such as the steps in distributed, transaction-based processes
(for example, processes that are distributed across multiple organizations) and actions that occur in
service-oriented architectures.
Selecting the appropriate level of abstraction is important for determining audit capabilities and can
facilitate the identification of root causes to problems. Organizations should consider the auditing
necessary to cover related events such as the steps in distributed, transaction-based processes (these
are processes distributed across multiple organizations) and actions that occur in service-oriented
architectures.

Chapter 7
Certificate management in the Rubrik
cluster
Certificate management in the Rubrik cluster
Rubrik supports multiple forms of Public Key Infrastructure. Rubrik CDM supports x.509 certificate-based
authentication.
Rubrik supports RSA SecurID, DUO Two-Factor Authentication service, and x.509 certificate-based
authentication. Rubrik CDM version 5.1 supports all forms of Department of Defense (DoD) Public Key
Infrastructure (PKI) Common Access Card (CAC) and Homeland Security Presidential Directive (HSPD) 12.
TLS certificate management

Rubrik clusters provide a management workflow for TLS certificates as required by several different
authentication components.
When Rubrik CDM starts, it configures a default Rubrik self-signed certificate for web services traffic to
enable secure transport layer security (TLS) encrypted traffic over HTTPS (port 443). Rubrik clusters
support the import and export of TLS certificates signed by a Certificate Signing Request (CSR) or a key
phrase, as well as unsigned and wildcard certificates.
Imported TLS certificates can be in the Encrypted Private Key and Certificate (PKCS12) format or base64-
encoded in the PEM format. Once a TLS certificate is imported to the Rubrik cluster, authentication
workflows enable users to select a TLS certificate to use with the specific service.
Disable TLS version 1.1

Rubrik CDM uses TLS v1.2 for all secure network communications by default.
Rubrik CDM supports stepping down to TLS version 1.1 for legacy systems that require the older version.
This Rubrik CLI command determines the currently running version of TLS.
>> cluster rubrik_tool get_config shield sprayMinimumTlsVersion
Rubrik Support provides instructions for disabling support for TLS version 1.1.
Importing a TLS certificate

Import a TLS certificate to the Rubrik cluster to use the certificate with authentication workflows that
support TLS certificates.
Procedure
3. Click Certificate Management.
Certificate management in the Rubrik cluster 04/28/2022 | 38

The Certificate Management page appears.
4. Click Add Certificate.
The Add Certificate dialog box appears.
5. In Display Name, type a name for the certificate.
6. Optional: In Description, type a description for the certificate.
7. In Certificate, paste the text of the TLS certificate.
8. Select a key type for the TLS certificate.
• Select CSR to complete an existing signing request.
• Select Key to import a certificate that was created outside the Rubrik cluster and includes a private
key.
• Select None to import a self-signed certificate created outside the Rubrik cluster.
9. Optional: To enable Trusted SSL-TLS interception, turn on theAdd to trust store toggle.
If you turn on the Add to trust store toggle, the Trust Option dialog box appears.
10. Optional: In the Trust Option dialog box, click OK.
11. Click Add.
The Rubrik cluster imports the TLS certificate.
Result
The Rubrik cluster can now use the TLS certificate using the service configuration.
Related Tasks
Generating a CSR
A CSR authenticates a TLS certificate.
Using a new TLS certificate

Replace existing TLS certificates in the Rubrik cluster with different versions.
Prerequisites
Add certificates to the Rubrik cluster using the steps described in Importing a TLS certificate.
Context
The Rubrik cluster uses the current Transport Layer Security (TLS) certificate until the imported certificate
is specified.
Procedure
1. Select Cluster Settings from the gear icon.
The Cluster page appears with the Cluster Settings tab selected.
2. Click the X next to the certificate name under the Web Server Certificate heading to remove the
current certificate.
3. Select the new certificate from the list.
4. Click Update.
Result
The Rubrik cluster uses the new TLS certificate.

Generating a CSR
A CSR authenticates a TLS certificate.
Context
Generating a Certificate signing Request (CSR) is the first step for importing a Transport Layer Security
(TLS) certificate with a private key that is managed by the Rubrik cluster. Once a CSR is generated, use
this CSR with the certificate authority (CA) to generate a TLS certificate. Specify the certificate type as CSR
to import this certificate into the Rubrik cluster.
After the CSR signing is complete, the signed certificate must be imported and configured.
Procedure
The Certificate Management page appears with the Certificates tab selected.
4. Click the CSRs tab.
The Certificate Management page changes to the Certificate Signing Request tab.
5. In the top right, click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Fill out the fields and click Generate.
The CSR appears.
7. Click Download.
The web browser saves the CSR to local storage as a text file.
Result
The downloaded or copied CSR can now be signed by a CA. Once the CSR has been signed, it can be
imported for use in the Rubrik cluster.
Related Tasks
Importing a TLS certificate
Import a TLS certificate to the Rubrik cluster to use the certificate with authentication workflows that
support TLS certificates.

Chapter 8
Encryption in the Rubrik cluster
Encryption in the Rubrik cluster
Encryption restricts an unauthorized party's ability to read data. Data encryption can apply to data at
rest, which is stored in a persistent device such as a storage drive, or in flight, which is being transmitted
between devices.
Data that is transmitted between nodes in a secure cluster is encrypted with the Transport Layer Security
(TLS) protocol, preventing attackers from access to the transmitted data even when the transmission is
intercepted. Rubrik clusters secure data at rest with the Advanced Encryption Standard (AES) symmetric-
key algorithm, using a 256-bit key length (AES-256).
On hardware platforms with FIPS-140-2 certified self-encrypting drives, the Rubrik cluster utilizes
FIPS-140-2 certified encryption for at-rest encryption. The keys for these encryption features can be
managed internally within the appliance’s Trusted Platform Module (TPM) and archived as required by
operational policy. Or these keys can be managed off-box via Key Management Interoperability Protocol
(KMIP) to a KMIP-compliant key manager. However, archiving the Rubrik clutser encryption keys is the
responsibility of the centralized key manager in this situation.
Data in flight encryption

The Rubrik cluster encrypts data while it is being transmitted.
Data transmission between nodes in a secure cluster is encrypted with the Transport Layer Security (TLS)
1.2 protocol, preventing attackers from access to the transmitted data even when the transmission is
intercepted.
Rubrik encrypts all data before leaving the system, ensuring secure data archival to public or private cloud
environments. Rubrik leverages client-side encryption libraries supported by public cloud providers and all
archived data undergoes envelope encryption.
Encryption in the Rubrik cluster 04/28/2022 | 41

Encryption of data at rest
Rubrik clusters use encryption to secure data at rest.
Rubrik clusters secure data at rest with the Advanced Encryption Standard (AES) symmetric-key algorithm,
using a 256-bit key length (AES-256).
For software encryption, Rubrik secures data-at-rest with AES-256 encryption and supports detection of
data tampering even when the system is powered off. When data-at-rest encryption is enabled, both data
and metadata are encrypted.
Rubrik clusters encrypt all filesystem data with a 256-bit Data Encryption Key (DEK), which is further
protected by wrapping it inside encryption using a 256-bit Key-Encryption Key (KEK). This allows secure
deletion of data by erasing the KEK to make the data inaccessible.
For hardware encryption, Rubrik offers an option for physical appliances with FIPS 140-2 Level 2 certified
hard disk and solid-state drives. The Rubrik r5xx series appliance uses self-encrypting drives (SEDs) where
DEKs and their passwords are encrypted with a Key-Encrypting Key (KEK). Rubrik recommends regular
KEK rotation. Periodic key rotation is also offered via an API which integrates with external compliance and
governance systems. Key rotation can also be used to migrate from an internal key manager to an external
key manager.
To enable effective key management, Rubrik offers the flexibility to manage the keys using an internal key
manager via the Trusted Platform Module (TPM) chip or an external key manager that is Key Management
Interoperability Protocol (KMIP)compliant.
Rubrik has built a secure platform for utilizing any cloud provider since day one. All backups sent to the
cloud include a copy of the system metadata, which can be instantly accessed by any Rubrik appliance
with the correct credentials and encryption keys.
Password encryption
The Rubrik cluster encrypts all user passwords.
Rubrik clusters do not store the passwords for local accounts. The password entered by a user is hashed
using the SHA-512 algorithm and the Rubrik cluster compares the resulting hash value to the stored hash
value for authentication.
The passwords to services external to the cluster are encrypted with AES-256.
Replication across clusters

Rubrik CDM can replicate between a mixture of encrypted and unencrypted clusters.
Because data at rest is encrypted during writes or at ingestion, Rubrik CDM supports replication between
encrypted and unencrypted clusters.
The Rubrik CDM User Guide provides full details on configuring replication.
Encrypted key management in the Rubrik cluster

Keeping the encrypted data on a Rubrik cluster secure depends on keeping the Data Encryption Keys
secure.
The Rubrik cluster keeps Data Encryption Keys (DEKs) and the passwords to the self-encrypting drives
(SEDs) on r5xx and r6xxxf series Briks secure by encrypting them with a Key-Encrypting Key (KEK).

As a best practice, regularly rotate the KEK. Rubrik supports two methods of securely storing and rotating
KEKs:
• The TPM chip present in a Brik.
• An external server running the Key Management Interoperability Protocol (KMIP).
Rotating key encrypting keys

Key rotation rotates KEK and SED passwords.
Procedure
1. Log in to the Rubrik cluster web UI as the admin user or a user with the Administrator role.
2. Open the gear menu on the top bar of the web UI.
The gear menu appears.
3. Click System Configuration > Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click the Rotate Keys.
The One-Time Key Rotation dialog appears.
5. Optional: To rotate keys using an external KMIP server, select External Key Manager (KMIP-
compliant).
If the cluster was using the on-board TPM chip for key rotation, this option changes the key rotation
method.
Note: Before using a KMIP server to rotate encryption keys, configure Rubrik with the server
information according to the procedure in Setting up a KMIP server.
6. Optional: To rotate keys using the on-board TPM chip, select Internal Key Manager (Rubrik TPM). If
the cluster was using a KMIP server for key rotation, this option changes the key rotation method.
Note: Changing the key rotation method requires restarting all nodes in the cluster. These restarts
stop any currently running jobs.
7. Optional: Select the checkbox to enable Rubrik to retain a copy of the encryption keys..
Note: Without a copy of the encryption keys, Rubrik cannot assist with certain recovery scenarios.
8. Click Continue.
Rubrik rotates the key-encryption keys (KEKs) and, where applicable, Self-Encrypting Drives (SED)
passwords on the cluster.
Setting up a KMIP server

Before using a KMIP server to manage the KEK and SED passwords on a Rubrik cluster, configure Rubrik
with the address and credentials of the KMIP server.
Procedure
1. Log in to the Rubrik web user interface (UI) with administrative user credentials.
4. Click the KMIP Settings tab.
A list of Key Management Interoperability Protocol (KMIP) servers configured for the cluster appears.
5. Click Configure Client Settings.

The KMIP Client Settings dialog appears.
6. Select Password Only, Client Certificate Only, or Both to select the client authentication mode
the KMIP server requires
7. Optional: Fill out the Username and Password fields if the KMIP server requires them.
8. Optional: Paste the signed client certificate text in the Client Certificate field if the KMIP server
requires one. Generating a certificate signing request has information on generating this certificate.
9. Click Update.
The Rubrik cluster stores the updated KMIP client information.
10. Click Add KMIP Server.
The Add KMIP Server dialog appears.
11. Fill out the Server Address and Port fields.
12. Paste the chain of server certificates text in the Server Certificate field.
The issuer's certificate must be included if the server certificate is signed by an issuer other than the
server itself. The full chain of server certificates to the root CA must be included if there is a chain of
issuers.
13. Click Add.
The Rubrik cluster stores the updated KMIP server information.
Generating a certificate signing request

KMIP servers can authenticate clients using certificates or username and password credentials.
Context
Perform these steps to generate a certificate signing request.
Procedure
1. From the KMIP Settings tab, click Generate Certificate Request.
The Certificate Signing Request dialog appears.
2. Enter the username for the Key Management Interoperability Protocol (KMIP) server and click
Generate.
The Certificate Signing Request appears.
3. Click Download to download the Certificate Signing Request as a text file.
The Certificate Signing Request must be signed by a trusted certificate authority.
Vormetric DSM integration

A Rubrik cluster can be integrated with a Vormetric DSM KMIP server.
Before integrating the Vormetric Data Security Manager (DSM) Key Management Interoperability Protocol
(KMIP) server, you must ensure that the Rubrik cluster is comprised entirely of FIPS-compliant Briks or has
software encryption enabled on r-series nodes.
You must also ensure that the Rubrik cluster has software encryption enabled by logging in to the cluster,
navigating to the System page, and looking for the lock icons on the disk in the System Summary page.
If it is not already, contact Rubrik Support to enable KMIP on the cluster.

Configuring the Vormetric DSM
Configure the settings on the Vormetric DSM appliance.
Context
Follow the instructions in the Vormetric DSM Administration Guide. Generally, configuring the Vormetric
DSM for the Rubrik cluster includes these steps:
Procedure
1. Enable TLS 1.2 support.
2. Configure licenses on the DSM to enable KMIP.
3. Create a domain on the DSM with KMIP enabled.
4. Within the new domain, add a host for the Rubrik cluster using an FQDN with A or CNAME records
pointing to the Rubrik nodes. Make a note of the FQDN in a safe place.
5. For client certificate authentication, ensure that the Password attribute is Generate.
6. Retrieve the Server Certificate from the DSM using a web browser (Windows) or OpenSSL (Linux).
Configuring the Rubrik cluster

Once the Vormetric DSM is configured, the Rubrik cluster should be configured.
Procedure
1. Log in to the Rubrik CDM web UI with administrative user credentials.
4. Click KMIP Settings.
5. For Client Authentication Mode, select Client Certificate Only.
6. Click Generate CSR.
7. When prompted, enter the same case-sensitive fully qualified domain name (FQDN) ntered in
Configuring the Vormetric DSM.
8. Download the certificate signing request (CSR).
9. Submit the CSR to an internal or public enterprise certificate authority (CA).
10. Retrieve the signed, 2048-bit or higher, TLS certificate.
Adding signed TLS Certificate to the Vormetric DSM

Adding the signed TLS certificate requires information from the Rubrik web UI.
Procedure
1. In the Vormetric DSM, locate the Rubrik host created in Configuring the Vormetric DSM and click
Import KMIP Key.
2. In the Username field, enter the same case-sensitive FQDN from Configuring the Vormetric DSM.
3. Paste the signed TLS client certificate in the Client Certificate field.
4. Enter the fully-qualified domain name (FQDN) or IP address of the Vormetric DSM in the Server field.
5. Enter 5696 in the Port field.
6. Paste the Vormetric DSM server certificate in the Server Certificate field.
7. Click Update.

Vormetric DSM installation failure troubleshooting
There are several reasons for which a Vormetric DSM installation can fail.
Vormetric installation can fail for various reasons.
• Verifying the network connectivity over port TCP/5696 between the DSM and the Rubrik cluster.
• Rebooting the DSM
• Ensuring the fingerprint of the configured client certificate matches the one being configured on the
Rubrik cluster.
Data encryption at rest on Rubrik Briks

Briks encrypt data at rest using software or hardware differently depending on the specific model.
Briks use a Trusted Platform Module (TPM) to manage encryption keys locally. Briks also support key
management with servers using the Key Management Interoperability Protocol (KMIP).
The r528 and r6xxxF model Briks use self-encrypting drives that are certified to meet level 2 of the FIPS
140-2 specification. Data encryption at rest for these Briks is always enabled and uses the Advanced
Encryption Standard (AES) symmetric-key algorithm, using a 256-bit key length (AES-256) at the disk layer.
Brik models in the r3xx and r6xxx series, excluding the r6xxxF and r528 models, which are hardware
encryption clusters with self-encrypting drives, support data encryption at rest using the AES-256
encryption algorithm implemented in the software.
To enable software data encryption at rest during the initial cluster setup or after a cluster reset, Enable
Data Encryption at Rest checkbox should be selected during web UI setup or Y should be typed at the
Enable Software Encryption prompt during CLI setup. Data is encrypted before being written to disk and
decrypted during read operations.
For information on verifying the encryption status of the Rubrik cluster, see Verifying the Rubrik cluster
encryption status.
Cluster resets destroy all data on the cluster.
For full details on the cluster setup process, see the Rubrik Install and Upgrade Guide. For more
information on managing encryption keys, see Encrypted key management in the Rubrik cluster.
Verifying the Rubrik cluster encryption status

Verify the encryption status of the Rubrik cluster.
Procedure
1. Generate an API token.
2. Retrieve the encryption status of the Rubrik cluster.
In a UNIX shell, use the following command.
curl -k -X GET --header "Authorization: Bearer api_token"

https://rubrik_host/api/v1/cluster/me/security/encryption
Where
• api_token is the token generated in step 1.
• rubrik_cluster is the IP address of the Rubrik cluster

Result
On encrypted Rubrik clusters, the response of the API call is:
{"isEncrypted":true,"cipher":"AES","keyLength":256}
On unencrypted Rubrik clusters, the response of the API call is:
{"isEncrypted":false}
Related Tasks
Generating an API token
Generate an API token for use in REST API scripts that run on the Rubrik cluster.

Chapter 9
Steps to harden a Rubrik cluster
Steps to harden a Rubrik cluster
This section provides a standard hardening procedure for the Rubrik CDM product.
The hardening steps for a Rubrik CDM product to comply with all United States Government security
standards. Specifically, these steps configure the product to comply with the Defense Systems Agency
(DISA) Security Template Implementation Guides (STIGs) and Security Readiness Reviews (SRGs).
The steps should be evaluated prior to implementation. Increasing the security of a product often
decreases its ease of use. For example, complex passwords are much more safe, but require an extra
effort on the side of the user. These steps should be performed only by user who understand the
implications of each step.
The hardening requirements in this section are general in nature and should be applied to all CDM
installations regardless of customer segment that the product is deployed into.
The requirements to harden a high-security system are described in Hardening requirements for a high-
security system.
For customers that are implementing hardening the system due to a regulation, Rubrik also provides a
complete STIG and SRG assessment to all customers at no extra charge. This assessment is focused on an
auditor’s requirements when attempting to assess the security of the system.
Your Rubrik sales representative can provide access to this assessment.
System updates with the latest Rubrik security

The Rubrik security team creates and publishes advisories for security-related issues in Rubrik products.
The security-related advisories published by the Rubrik security team are posted on the Rubrik support
portal (https://support.rubrik.com). All customers must be aware of the Rubrik security advisories so they
can apply patches before exploits become widely available and can maintain a secure data management
service.
For critical vulnerabilities, Rubrik provides patches as soon as feasible. The patches will be available for
download from the support portal and can be applied through the Rubrik CLI. Each patch includes release
notes, which explain the vulnerability and the appropriate information about fixes.
Enabling the syslog server

The Rubrik cluster activity log messages describe the current state of tasks on the local Rubrik cluster and
furnish information about every task started on the local Rubrik cluster over the past 90 days, including
tasks that result in a notification.
Context
User events are logged in the Rubrik cluster activity log, along with all other cluster activities. To
reconstruct a set of user activities, filter the activity log to display user events.
Steps to harden a Rubrik cluster 04/28/2022 | 48

The Rubrik cluster transmits system activities to an external syslog server. When syslog support is enabled,
the Rubrik cluster sends to the syslog server messages that are based on the events that also appear in
the Rubrik activity log.
Customers should send logging information to a remote syslog server to effectively correlate and audit
tasks and security events across clusters.
Verify the Rubrik appliance configured to send out logs immediately to a central audit server.
Procedure
1. Log in to the Rubrik CDM web UI
2. Click the gear icon on the top bar of the Rubrik CDM web UI
3. Click Notification Settings.
4. On the tab bar, click Syslog.
The Syslog page appears.
5. Verify the notification settings.
Result
The Rubrik appliance is configured to send logs to a central audit server.
Best practices for web session limits and inactivity timeouts

The interactive Rubrik CDM web UI browser session for users and administrators is configured to
automatically time out after 30 minutes of inactivity.
However, the session timeout is configurable, such as matching this timeout with those of the corporate
security requirements. Rubrik recommends limiting the number of concurrent sessions allowed for named
user accounts. By default, there is no limit to the number of concurrent sessions allowed per user.
Submitting a support ticket and requesting that the webSessionsPerUser in crystal be updated
with the new value limits the number of concurrent sessions for all admin accounts to an organizationally-
defined limit. This command issued from the Rubrik cluster CLI determines the current value for
webSessionsPerUser:
cluster rubrik_tool get_config crystal webSessionsPerUser
To configure the default timeout of the cluster to a new value, submit a support ticket and request that the
webSessionTimeoutMinutes value in crystal be updated with the new value. Issue the following
command from the Rubrik cluster CLI to determine the current value for webSessionTimeoutMinutes:
cluster rubrik_tool get_config crystal webSessionTimeoutMinutes
After making these changes, login in and verify that the timeout settings have taken effect.
Configuring for active directory authentication

Rubrik supports both local authentication and authentication with Active Directory.
Context
Local authentication must be used only as a fallback mechanism to access the Rubrik cluster when Active
Directory is unreachable.

Verify the appropriate domain is configured for authentication.
Procedure
2. Select the gear icon.
3. Select Users from the Access Management category.
The User Management page appears with the Users and Groups tab selected.
4. Select the LDAP Servers tab.
5. Verify the appropriate domain is configured.
Configuring the TLS protocol

Verify that external objects protected by the Rubrik cluster support Transport Layer Security 1.1 or higher.
Context
The Rubrik cluster uses the Transport Layer Security (TLS) protocol with certificate-based mutual
authentication for secure communication for all intra-node and inter-cluster communication, as well as
communication with external applications. Rubrik CDM uses TLS 1.2 for all internal communications, but
uses TLS 1.1 when other applications do not support TLS 1.2.
Procedure
2. Click the gear icon on the top bar of the Rubrik CDM web UI
The gear menu appears
3. Click Certificate Management
The Certificate Management page appears with the Certificates tab selected
4. Examine the properties of the certificate listed to ensure that the Rubrik cluster self-signed certificate
was replaced with a certificate generated by the customer’s environment.
Retention locks in the Rubrik cluster

Retention locks securely prevent users from accidentally, or maliciously, deleting snapshots.
Retention locks help protect against attack vectors searching for unauthorized methods to delete backups
through SLA Domain modifications to reduce retention or by attempting a factory-level reset.
Note: Retention locks are globally disabled on the cluster by default. Contact Rubrik Support to enable
retention locks within the Rubrik UI.
Once enabled, the Rubrik UI includes a toggle labeled Retention Lock in the upper corner of each Create
SLA Domain dialog window.
Once enabled globally, retention locks must be enabled explicitly on each SLA Domain that requires
protection. Retention locks can be enabled during SLA Domain creation, or they can be added to existing
SLA Domains which apply the protection and restrictions retro-actively.
Once enabled, retention locks introduce a number of security features.
• A factory reset of the cluster or node cannot be performed. A common attack vector attempts to
perform a factory reset on the appliance to wipe out backup data, which is impossible to do without

the intervention of Rubrik Support when retention locks are enabled globally. Instead the Rubrik cluster
sends out this message.
Node reset is disallowed

This Rubrik cluster has Retention Lock policies that prevent reset.
Contact Support to enable reset.
• The only modifications allowed on SLA Domains are for stronger and more secure configurations. Any
attempt to reconfigure the SLA Domain weakens the configuration or contributes to the expiration of
existing data is prohibited. This prevents accidental or malicious attempts to modify the SLA Domain
that expires or prunes existing data. Retention locks prevent removing any archival locations or
replication targets associated with the SLA Domain.
• An external time source is required, and local time sources are not allowed, preventing rogue time
source attacks used to prematurely expire data by fast forwarding past the retention period.
Secure network time protocol configuration

The Network Time Protocol distributes precise time to a computer network.
The Network Time Protocol (NTP) synchronizes numerous time essential processes on distributed
computers across a network. However, the NTP protocol can be a security risk. Malicious users can
interrupt system synchronization by attempting to adjust or replicate NTP time stamps.
NTP can use encrypted keys to authenticate time stamps provided by a timeserver. Network time clients
and devices can use secure keys to authenticate time stamps and ensure their supply of origin.
The Rubrik cluster includes Secure NTP encrypted time sources as an optional configuration. "Network
Settings" in the Rubrik CDM User Guide provides instructions for configuring NTP servers from the gear
menus on the web UI.
https://timetoolsltd.com/ntp/network-time-protocol-ntp-best-practices/ provides best practices for NTP
security.
Security banner
The Rubrik cluster can display a custom notice that must be acknowledged before login is permitted.
The Rubrik cluster security banner can include custom text for an authorized-use agreement. The message
text can be formatted as plain text or can use standard HTML markup.
The Rubrik cluster also includes configurable top and bottom page banners in the web UI. The banner text
and the banner background color can be configured.
Setting the login banner text

Use the Rubrik CDM web UI to set the login banner text.
Procedure
3. Click Cluster Settings.
The Cluster Settings page appears.
4. In Login Banner Text, enter the login notice text.

Result
The Rubrik cluster saves the content and adds it to the modal dialog box on the login screen for
subsequent logins.
Archive storage
Most malicious attack vectors focus on external archive locations before attacking the local snapshot data
when data management products are targeted.
Data that is archived is no longer on the Rubrik cluster once it is archived. A customer's security practices
must protect archived data from malicious attack vectors. It is critical that customers follow the best
practices to secure the archive locations, particularly if the CloudOut feature is being used with the Rubrik
cluster to archive snapshots for long term retention,
Archive storage and the principle of least privileged access

The principle of least privileged access should be followed with the Rubrik CloudOut feature.
Access to the cloud archival location uses the minimum privileges needed to perform write and read
operations. This concept also applies to creating dedicated security principles for individual buckets and
archives as well. If the credentials are compromised for the archival location, the minimum privileges
ensure that an attacker cannot reach very far into the cloud environment with the compromised
credentials.
Best practices for NFS and SMB security

Rubrik CDM uses the NAS protocols NFS and SMB for some of its features, including NAS protection, Live
Mount, Managed Volume, Volume Group Snapshots, Bare Metal Recovery and Archival operations.
Customers must make sure that the Server Messaging protocol (SMB) and network file system (NFS)
Network Attached Storage (NAS) protocols are secured to prevent unauthorized access to the protected
data. The Rubrik cluster file system is immutable so the data cannot be altered with these protocols.
This table lists the best practices for using these protocols.
Protocol best practice Description

Use secure SMB for SMB shares. The Rubrik cluster can use secure SMB, which
requires authenticated connections for SMB shares,
and prevents unauthorized users or systems from
accessing data during Live Mount or Managed
Volume operations.
Use IP whitelists for all NFS archival locations and White list the IP addresses on all NFS NAS devices
clients. to be backed up and on any NFS-based archival
locations that support them. Include the IP
addresses of the Rubik cluster nodes. This prevents
unauthorized systems from accessing the Rubrik
archives and the NAS shares that the Rubrik cluster
protects.

Protocol best practice Description
Use Kerberos for NFS archival locations. Enable Kerberos when a NAS target for a NFS
archival location supports Kerberos. Kerberos
provides a username and password authentication
requirement to the NFS share used as the archiving
target, increasing its security. Configuring the
archival location in the Rubrik cluster requires a
valid username and password.
Use username and password authentication for NFS Configure username and password authentication
file sets. for the protected NFS file sets for those NAS clients
that support it. This prevents unauthorized access
to the protected NAS data.
Use Client Patterns with Managed Volumes. When defining the fileset for NAS backup, use the
Client Pattern feature to whitelist the IP addresses
or host names of the systems that are being
protected. This prevents unauthorized systems from
mounting the Managed Volume and reading its
data.
Harden the IPMI interface

Harden the default IPMI interface to improve security.
Hardening the IPMI interface to improve security includes creating a uniquely named IPMI user and
disabling the default ADMIN user.
The steps to harden the IPMI interface steps require that the ipmitool utility is installed on a system
that can communicate with the IPMI IP interface. This system can be a virtual machine, laptop, or a
desktop.
Adding a new IPMI user

Add a uniquely named IPMI user.
Context
Perform these steps on all nodes of the cluster. Each step requires typing the IPMI password after
submitting the command.
Procedure
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
3. Click IPMI credentials.
The IPMI Credential screen appears with the Configure IPMI tab selected.
4. Select the IPMI Password tab.
5. Enter, then reenter a password.
6. Click Update.
The Rubrik cluster updates the IPMI password.
7. Connect to a node that has the ipmitool installed using SSH.
8. Type this command to list the IPMI users.

ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ADMIN -a user list
Where Rubrik_node_IPMI_IP is the IPMI IP address for the Rubrik cluster node.
9. Verify the system does not include a user with the name being added.
10. Create the new IPMI user.
This example creates the ACME_User IPMI user with an IPMI ID of 4.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ADMIN -a user set name 4

ACME_User
11. Set the password for the IPMI user.

This example sets the password for the ACME_User user with an IPMI ID of 4.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ADMIN -a user set password

4
ipmitool displays the password setting prompts.

12. Enter and confirm the password.
13. Type this command to change the access for the IPMI user.
This example changes the access for the ACME_User to channel number 1.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ADMIN -a channel setaccess

1 4 link=off ipmi=on callin=off privilege=4
14. Type this command to enable the IPMI user.

This example enables access to the BMC for the ACME_User user with an IPMI ID of 4.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ADMIN -a user enable 4
Result
The IPMI user is added.
Testing the IPMI interface

Verify the status of the IPMI interface.
Procedure
2. Use the ipmitool utility to verify the IPMI user account is logged into the system.
This example displays the IDs of the users currently logged in to the system.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ACME_User -a user list
ID Name Callin Link Auth IPMI Msg Channel Priv

Limit
1 true false false Unknown (0x00)
2 ADMIN false false true ADMINISTRATOR
3 RUBRIK true false true ADMINISTRATOR
4 ACME_User false false true
ADMINISTRATOR)

3. Use the ipmitool utility to determine the status of the IPMI user.
This command verifies that the system chassis power is on.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ACME_User -a power status
Result
The IPMI interface is verified.
Disabling the IPMI ADMIN user

The ADMIN user is enabled by default. Disable the ADMIN user to harden access security.
Procedure
2. Type this command to disable the ADMIN user from IPMI interface.
ipmitool -I lanplus -H Rubrik_node_IPMI_IP -U ACME_User -a user disable 2
3. Optional: Type this command to verify the ADMIN user is disabled from the command line.
If the ADMIN user is disabled, this command results in a message stating "Error: Unable to establish
IPMI v2 / RMCP+ session".
4. Optional: Verify the ADMIN user is disabled from the GUI.
a) Log into the IPMI site for each node with the IPMI user ID.
The syntax is https://Rubrik_node_IPMI_IP.
b) Type this command to verify the ADMIN user is disabled.
If the ADMIN user is disabled, this command results in a message stating "Error: Unable to
establish IPMI v2 / RMCP+ session".
Result
The IPMI ADMIN user is disabled from the Rubrik cluster to harden access security.
Disabling the virtual media

Disable the virtual media and switch to SMC RAKP authentication.
Procedure
1. Log into the IPMI site for each node with the IPMI user ID.
The syntax is https://Rubrik_node_IPMI_IP.
2. Click Configuration > Port.
3. Uncheck Virtual media port.
4. Click Save.
5. Click Miscellaneous > SMC RAKP.

6. Click Enable.
The RAKP status is enabled.
7. Click Save.
Result
The IPMI ADMIN user is disabled from the Rubrik cluster.
Penetration testing tools may still return a hash for an IPMI user. However, these tools will not display the
user name if the passwords are strong.
After the secure multiparty computation (SMC) remote authenticated key-exchange protocol (RAKP) is
enabled (or the RAKP is disabled), the Rubrik cluster no longer receives IPMI responses from ipmitool.
Instead, use SMCIPMITOOL to execute commands. The IPMI documentation describes SMC RAKP.
Password management configuration

The default password included with the appliance must be changed to a strong password. All administrator
and end-users must use strong passwords
As a security best practice, passwords must be managed with an authentication server such as Active
Directory. However, a locally configured password for privileged access is still needed in case the
authentication server fails.
Active Directory account passwords are controlled by the appropriate domain security policy.
Related Concepts
Strong passwords
Harden encryption
The Rubrik node should be configured with encryption to protect the confidentiality and integrity of all
information at rest.
The Rubrik cluster supports native encryption using an on-board TPM chip and customer-managed
encryption using the KMIP protocol on hardware-based appliances that support this configuration. The
Rubrik cluster uses TLS to encrypt UI and REST API traffic with a default, self-signed certificate.
Verifying encryption on Rubrik cluster nodes

Rubrik nodes that are configured with encryption include the image of a lock on their node information
page.
Procedure
2. On the left-side menu, select Dashboard > System Performance.
The System Performance page appears.
3. Click the name of a node.
The node information page appears.
4. Verify that all disks include the image of a lock next to them, indicating they are configured for
encryption.

Result
The Rubrik cluster node encryption is verified.
Using a certificate signed by a trusted CA

The Rubrik cluster supports using a certificate signed by a trusted certificate authority (CA).
Procedure
4. Verify the certificates are for TLS 1.1 or higher.
Result
The certificates are signed by a trusted certificate authority (CA).
Generating a CSR signed by an arbitrary certificate authority

Generate a CSR to use a certificate signed by an arbitrary certificate authority.
Context
The certificate signing request (CSR) is available on the Rubrik cluster and on the local storage of the
computer used to generate the CSR.
Procedure
4. Click the CSRs tab.
The Certificate Management page changes to the Certificate Signing Request tab.
5. In the top right, click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Fill out the fields and click Generate.
The CSR appears.
7. Click Download.
Result
The web browser saves the CSR to local storage as a text file.
Signature matching verification for upgrades

All Rubrik software images are signed by Rubrik Engineering.
Rubrik Engineering's signature for the Rubrik software is verified during the boot process. Software
upgrades fail if the signature does not match. Only the Rubrik support portal (https://support.rubrik.com)
provides the Rubrik CDM patches.

Disable unused network ports
Network ports that are unused should be disabled.
Hardening the Rubrik cluster includes enabling only the network ports that are required for user interaction
with the product and communication between different internal processes. Since all unused ports are
disabled by default, no customer action is required.
Hardening requirements for a high-security system

This section provides hardening procedures for the Rubrik cluster in a high-security system.
Each hardening requirement in this section is identified with the associated Vulnerability ID and/or
STIG ID. This allows customers to cross reference the hardening step below with its associated STIG
requirement.
Typically, a product hardening guide is focused on hardening the operating system of an appliance. The
Rubrik CDM appliance utilizes a true appliance model as verified by DISA. This means that the OS, a STIG
hardened derivative of Linux, is completely locked from any and all access. The result is that the hardening
steps provided below are really configuration steps required by the Application Server STIG, Network
Devices STIG and Web STIG.
If a hardening requirement is repeated because it involves more than one STIG control, then the
requirement is only provided once in this document.
This table includes the tasks required to harden high-security Rubrik CDM installations.
Task Description
Configure the Rubrik cluster to authenticate users. Rubrik supports both local authentication and
authentication with Active Directory.
Configuring for active directory authentication
described how to use an enterprise identify
management solution to authenticate users.
Configure the Rubrik appliance to use a secondary The Rubrik cluster supports both RSA, Duo,
authentication mechanism. and DoD PKI CAC x.509 certificates. Verify the
appropriate domain is configured.
Verify the Rubrik cluster encrypts all information at The Rubrik cluster must be configured with
rest. encryption to protect the confidentiality and
integrity of all information at rest. Harden
encryption describes how to configure the Rubrik
cluster with encryption.
Update the value for Web session timeouts. The value for webSessionTimeoutMinutes
must be up-to-date. Configuring this value is
described in Updating the value for a Web session
timeout.
Review the process for shutting down a Rubrik The Rubrik cluster administrator must be familiar
node. with the steps to shut down a node immediately
during an attack.
The Rubrik CDM Hardware Guide includes
information about shutting down a node.

Task Description
Verify the Rubrik cluster uses a centralized Syslog The Rubrik cluster must be configured to send
server . out logs immediately to a central audit server. See
Enabling the syslog server.
Verify the Rubrik cluster uses Universal Time The Rubrik cluster must be configured to use UTC
Coordinated (UTC). so there is a standardized time for all events. UTC
configuration steps are described in Verifying the
Rubrik cluster uses UTC.
Verify the Rubrik cluster uses DoD-approved The Rubrik cluster must be configured to use
certificate authorities. only certificates issued by a certificate authority
(CA) approved by the Department of Defense.
Configuring these certificates is described in Using
DoD-approved certificate authorities.
Verify the timing for patch installation. Rubrik CDM patches must be applied to the system
within a time frame directed by an authoritative
source.
Limit the number of concurrent sessions. The Rubrik cluster must be configured to limit the
number of concurrent sessions to an organization-
defined number for all administrator accounts
and administrator account types. Contact Rubrik
Support to reset the limit sessions.
Display a DoD-approved banner. The Rubrik cluster must display a DoD-approved
banner that is formatted in accordance with
DTM-08-060. Configuring this banner is described
in Displaying a DoD-approved banner.
Configure the Rubrik cluster for an account of last The Rubrik cluster must be configured with an
resort. account of last resort.
The steps to configure this account are described in
Configuring for an account of last resort.
Verify successful logins are displayed in the log. Successful logins must be displayed in the Rubrik
cluster log. The steps for configuring the log
are described in Verifying successful logins are
displayed in the log.
Verify the Rubrik cluster includes an emergency The Rubrik cluster must not contain any local
account. accounts other than an emergency account.
Configuring an emergency account is described in
Verifying an emergency account.
Updating the value for a Web session timeout

Make sure the value for a Web session timeout is current.
Context
The value for a Web session timeout is determined with the webSessionTimeoutMinutes parameter.
Procedure
1. SSH to the Rubrik appliance using the admin account.

2. Type the following command in the Rubrik CLI.
rubrik_tool update_config crystal webSessionTimeoutMinutes [value]
Result
The Rubrik CLI updates the value for webSessionTimeoutMinutes.
Verifying the Rubrik cluster uses UTC

Verify the Rubrik cluster is configured to use Universal Time Coordinated so there is a standardized time for
all events.
Context
The default time zone used by a Rubrik cluster is the Coordinated Universal Time (UTC) time zone. If the
cluster is set to a different time zone, reset it to use UTC.
Procedure
2. Click the gear icon on the top bar of the web UI.
4. In Cluster Time Zone, select the UTC time zone for the Rubrik cluster.
5. Click Update.
Result
The Rubrik cluster uses UTC.
Using DoD-approved certificate authorities

Verify the Rubrik node is configured to utilize only a certificate issued by a CA approved by the Department
of Defense (DoD).
Context
CAs approved by the DOD allow users to securely communicate with the DoD and authenticate to DoD
Information Systems.
Procedure
4. Verify if the certificates are DoD approved by examining the properties of each of the listed
certificates.

Displaying a DoD-approved banner
Present a DoD-approved banner on the Rubrik cluster UI.
Context
A Department of Defense (DoD)-approved banner indicates the Rubrik cluster is formatted in accordance
with DTM-08-060 to and meets DoD standards.
Procedure
4. In Login Banner Text, enter the Dod-approved login notice text.
5. Click Update.
Result
The Rubrik cluster UI displays the DoD0-approved banner.
Configuring for an account of last resort

Verify the Rubrik cluster is configured with one account for a user who can perform Administrator role
functions when the authentication server is not available.
Procedure
3. Click Users.
The Users page appears.
4. Verify there is at least one account with the Administrator Role.
Verifying successful logins are displayed in the log

Verify successful logins are displayed in the log section of the product.
Procedure
2. Click the globe icon on the top bar of the Rubrik CDM web UI.
The recent messages list of the Activity Log appears.
3. On the recent messages list, click See all.
The Activity Log page appears.
4. Scroll the page to see the activity log.
5. Optional: Click Filter Status to select successful logins.
Result
The Activity Log displays all successful log ins.

Verifying an emergency account
Verify that no other local accounts exist other than an emergency account.
Procedure
3. Click Users.
The Users page appears.
4. Verify the only local account is an emergency account.

Rubrik CDM Version 7.0 Security Guide (Rev. A1)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Rubrik CDM Version 7.0 Security Guide (Rev. A1)

Uploaded by

Copyright:

Available Formats

Rubrik CDM Security Guide

Rubrik Headquarters: Palo Alto, California 94304

Copyright and trademarks

Copyright © 2022 Rubrik Inc.

Registered in the U.S. Trademark Office

Copyright and trademarks 04/28/2022 | ii

Copyright and trademarks 04/28/2022 | iii

Web Rubrik Support Portal

Table 1: Documentation revision history

Revision Date Description

Comments and suggestions

Rubrik data security overview........................................................................................................8

Rubrik cluster accounts................................................................................................................. 10

Automation on a Rubrik cluster....................................................................................................18

Access restrictions with authentication....................................................................................... 24

Rubrik cluster audits..................................................................................................................... 34

Certificate management in the Rubrik cluster............................................................................ 38

Encryption in the Rubrik cluster...................................................................................................41

Steps to harden a Rubrik cluster..................................................................................................48

Contents 04/28/2022 | vii

Rubrik data security overview

Security is an important part of any data management system.

Security features in Rubrik CDM

Rubrik data security overview 04/28/2022 | 8

Support tunnel authentication

Rubrik data security overview 04/28/2022 | 9

Rubrik cluster accounts

Local account security best practices

Best practices for Best practice explanation

Rubrik cluster accounts 04/28/2022 | 10

Rubrik cluster accounts 04/28/2022 | 11

Best practices for Best practice explanation

Rubrik cluster default accounts

Account name Description

Rubrik cluster accounts 04/28/2022 | 12

adminstaging Account with access to the staging directory for

IPMI in the Rubrik cluster

Rubrik cluster accounts 04/28/2022 | 13

Rubrik cluster default port numbers

Service Port number

Configuring strong passwords for IPMI

Rubrik cluster accounts 04/28/2022 | 14

Changing the IPMI admin user password from IPMIView

Changing the IPMI admin user password using ipmitool

ipmitool -I lanplus -H ipmitool -I lanplus -H Rubrik_IPMI_IP_address -U

Rubrik cluster accounts 04/28/2022 | 15

Changing the IPMI admin user password from the motherboard

Replacing IPMI certificates for HTTPS access

2. Login to the site.

Rubrik cluster accounts 04/28/2022 | 16

Rubrik cluster accounts 04/28/2022 | 17

Automation on a Rubrik cluster

Storing credentials securely

Automation on a Rubrik cluster 04/28/2022 | 18

User or group account roles

Access control 04/28/2022 | 19

Password segment Pattern Entropy

Access control 04/28/2022 | 20

The zxcvbn password strength checker

Access control 04/28/2022 | 21

Access control 04/28/2022 | 22

Enabling multifactor authentication

Access control 04/28/2022 | 23

Access restrictions with authentication