Professional Documents
Culture Documents
Version 7.0
755-0198-01 A1
Trademarks
Legal Notices
Certain products and features, including Microsoft 365 Protection provided by Rubrik Polaris, are subject to
additional product-specific terms available at https://www.rubrik.com/en/legal.
By using the Rubrik Polaris Sonar application, you understand and acknowledge that Rubrik Polaris Sonar’s
pre-existing Policies and Analyzers contain general suggestions for data elements and formats based on
common data sets and formats. The suggested data elements and formats in Rubrik Polaris Sonar are not
intended to be a comprehensive or exhaustive list of data elements and formats regulated by the GDPR,
CCPA or any other applicable laws and regulations. We also do not guarantee that your Rubrik Polaris
Sonar search results will include every instance of each data element and format within your data set. We
Support
Use one of the following methods to contact Rubrik Support.
Revision History
Revision history for the Rubrik CDM Security Guide.
Related documentation
Rubrik provides documentation that covers a broad range of related concepts, tasks, and reference
information.
• Rubrik Polaris User Guide
• Rubrik Polaris Radar Quick Start Guide
• Rubrik CDM Release Notes
• Rubrik CDM User Guide
• Rubrik CDM Install and Upgrade Guide
• Rubrik CDM Security Guide
Preface 04/28/2022 | iv
• Rubrik CDM Cloud Cluster Setup Guide
• Rubrik CDM Hardware Guide
• Rubrik CDM CLI Guide
• Rubrik CDM Events Guide
• Rubrik Edge Install and Upgrade Guide
• Rubrik Virtual Cluster Install Guide
• Rubrik Compatibility Matrix
Products
To provide comments and suggestions about our products contact Rubrik Support, as described in Support.
Product documentation
To provide comments and suggestions about the product documentation, please send your message by
email to: techpubs@rubrik.com.
Please include the following information about the product documentation to help us to find the content
that is the subject or your comments:
• Full title
• Part number
• Revision
• Relevant pages
Rubrik Build
Rubrik hosts community-based tools through the Rubrik Build program and associated GitHub repositories
for community-supplied tools.
Rubrik Build is an open source program that provides access to a growing community of enthusiasts and
experts across a number of languages and tools. Rubrik Build is used to create and improve projects that
simplify monitoring, testing, development, and automated workflows for Rubrik product deployments.
Rubrik Build includes the following resources:
• Software Development Kits
• Tooling Integrations
• Use Cases
• Community Projects
• Rubrik REST API documentation
Important: USE AT YOUR OWN RISK. Rubrik does not officially support the community tools. Carefully
investigate a community tool before using it. Always test a community tool on non-production data before
using the tool with production data.
Preface 04/28/2022 | v
Contents
Access control................................................................................................................................ 19
User or group account roles.....................................................................................................19
Local authentication................................................................................................................. 19
Strong passwords.................................................................................................................... 20
Guidelines for choosing a strong password................................................................................21
The zxcvbn password strength checker.....................................................................................21
LDAP authentication................................................................................................................. 21
LDAP Credentials............................................................................................................22
LDAP Servers................................................................................................................. 22
Enabling multifactor authentication........................................................................................... 23
Contents 04/28/2022 | vi
List of audited events in the Rubrik cluster............................................................................... 36
The Rubrik cluster uses local accounts, domain or external accounts, and accounts for API access.
Rubrik cluster acounts include local accounts, domain or external accounts, and accounts for API access.
Local accounts are local to the Rubrik CDM server and are maintained by the local administrator of these
applications. Domain or remote accounts are accounts in an external identity store, such as Microsoft
Active Directory (AD). Domain or remote accounts are maintained outside of Rubrik CDM and are granted
access to operate the application on an individual or group basis. API access is provided by either a local
account or a domain or remote account. Tokens can be used with API access to provide time-limited
access to Rubrik CDM.
Password rotation Passwords should be changed every 30 to 90 days to minimize exposure time if a
password is compromised.
Unique passwords Each Rubrik cluster should have a unique set of passwords. This is very important
across Rubrik to secure any of the default users such as admin, and this prevents one
clusters or compromised set of credentials from being used across multiple systems.
instances
MFA on local Rubrik CDM supports multifactor authentication (MFA), allowing the Rubrik cluster
accounts to challenge users for an authentication token. This authentication token is
provided by an outside authenticator. MFA blocks access from an attacker if a user’s
credentials are compromised.
Auditing and By alerting and logging failed login attempts, administrators are notified of any
alerting enabled security breaches that are in progress. Preventative steps can then be taken to stop
for failed login any in-progress attacks.
attempts
Admin access as an Use of the admin login, or users with full admin privileges, should be restricted to
exception and not a only those operations that require admin-level access. Limiting the use of these
rule users reduces the chances of their credentials being intercepted and used by
attackers. Day-to-day administration should be done by users with the lowest level
of privileges required to perform their jobs.
For an additional layer of security, the admin user passwords should be shard and
stored separately so a single person does not have access to all of the shards,
providing a two-person authentication for administrative actions.
Local user account The Rubrik cluster can lock out local users for a period of time if too many failed
lockout settings login attempts are recorded. By default, this setting is disabled. Enabling this
enabled feature and configuring the settings appropriately prevents brute force attacks of
local user accounts. In addition, Rubrik CDM issues notifications to administrators
that an account has been locked out due to multiple failed attempts.
The Configuration section of the Rubrik CDM User Guide describes configuring the
local user account lockout settings.
Context
The Rubrik node hardware includes a baseboard management controller (BMC) that can be used to
perform Intelligent Platform Management Interface (IPMI) tasks.
The Rubrik CDM web UI helps to assign a strong password and control access to the IPMI interface on all
nodes in the Rubrik cluster.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
3. Click IPMI Credentials.
The Configure IPMI page appears.
4. Select one of the following external services to access IPMI.
• HTTPS
• IKVM (Java for .Net)
5. Click Update.
6. Click IPMI Password.
Result
The Rubrik CDM web UI assigns a strong password and controls access to the IPMI interface on all nodes
in the Rubrik cluster.
Context
Perform these steps on all nodes of the Rubrik cluster.
Procedure
1. Download and install IPMIView utility.
The IPMIView utility is available at https://www.supermicro.com/products/nfo/SMS_IPMI.cfm.
2. Login to the Rubrik cluster node.
Connect to the Rubrik cluster node using the IPMIView utility with the user password, ADMIN.
3. Click the Users tab.
4. Click Change Password.
5. Type the new password and click OK.
Result
The IPMIView GUI changes the IPMI admin user password.
Context
Changing the password for the Intelligent Platform Management Interface (IPMI) admin user using the
ipmitool command line utility provides additional security. Linux computers must have LAN or IP access to
the same IPMI network to which the Rubrik IPMI ports are connected.
The ipmitool utility includes complete online syntax descriptions.
Perform these steps on all nodes of the Rubrik cluster.
Procedure
1. Connect to the Rubrik cluster node using SSH.
2. At the command line, type this:
Result
The ipmitool changes the IPMI user password.
Context
Perform these steps on all nodes of the Rubrik cluster to reset the password without accessing the
network.
The ipmitool utility includes complete online syntax descriptions.
Procedure
1. Login to the Rubrik cluster node.
2. Type this command to verify there is a single ADMIN user with an ID value of 2.
sudo ipmitool user list
The list of users should contain a single user, ADMIN, with an ID value of 2.
3. Type this command to reset the password
sudo ipmitool user set password 2 new_password
4. Enter the new password.
Result
The ipmitool changes the IPMI user password.
Context
Perform these steps to replaced the IPMI self-signed certificates with properly signed certificates.
Use the ipmitool to retrieve the IPMI address. The ipmitool utility includes complete online syntax
descriptions.
Procedure
1. Access the IPMI with HTTPS from the browser using this syntax:
https://IPMI_ADDRESS
Rubrik cluster includes automation for user accounts, authentication mechanisms, and storing credentials.
Each automation task includes a user account. This account should be assigned to a custom role that
provides only the privileges required to successfully execute the automation. The user account should not
have any data expiry or SLA change and deletion permissions. This ensures that any damage to the Rubrik
cluster is minimized if the credentials for the user account are compromised.
Token authentication is the preferred authentication mechanism for connecting to a Rubrik cluster.
Though Rubrik CDM API supports both basic and token authentication, token authentication is the
preferred authentication method. Token authentication is preferred when connecting to a Rubrik cluster
programmatically because a token can easily be deleted without affecting the user account if it is leaked or
comprised or is no longer needed. Token-based API authentication is mandatory for time-based one-time
password (TOTP) multifactor authentication (MFA).
Access control
Access control guarantees that users are who they say they are and that they have the appropriate access
to company data.
The Rubrik cluster authenticates Rubrik cluster user accounts at login. Authentication verifies that the user
account is known to the Rubrik cluster and that the correct user account credentials were provided, or a
valid digital user certificate is used. After authentication, the Rubrik cluster uses the role and privileges
assigned to the user account to determine what actions are permitted during the session.
Role Privileges
Administrator Full access to all Rubrik operations on all objects.
End user Access to assigned objects and the ability to browse
snapshots, recover files, and perform live mounts.
No access Cannot log in to Rubrik web UI and cannot make
REST API calls.
A local user account is automatically assigned the no access role when it is first created. An administrator
must change this role to either an end user or administrator role to activate this account and grant a set of
privileges. Lightweight Directory Access Protocol (LDAP) directory accounts must also be activated before
they can access the Rubrik cluster.
The resources in a Rubrik cluster can be partitioned into independently managed collections known as
tenant organizations. Users in tenant organizations have privilege levels that are managed by users with
the organization admin role.
Local authentication
Local authentication methods control access to local accounts on the Rubrik cluster.
For local authentication, the Rubrik cluster stores each local user’s username in a database. The Rubrik
cluster uses that information along with the user’s password to authenticate a login. By default, the Rubrik
cluster requires passwords to be of at least eight characters. Rubrik clusters do not support passwords
longer than 1000 characters.
For local user accounts, a more stringent password strength checker is available, which is based on the
zxcvbn algorithm.
Strong passwords
If a Rubrik cluster has the zxcvbn password strength checker enabled, passwords for local users will be
checked against the zxcvbn criteria for a strong password.
The zxcvbn algorithm estimates the strength of a password by measuring its entropy. Entropy is a measure
of randomness and unpredictability that indicates how difficult it is to guess a particular password.
Recognizable character patterns have low entropy and require very little computing power to guess.
Character strings that can only be guessed by trying every possible character combination have high
entropy and take much longer to guess.
Examples of passwords and character patterns that are easy to guess include:
• Single words that can be found in a dictionary.
• Common passwords, such as passw0rd, letmein, or abc123.
• Repeated characters, such as aaaa or 2222.
• Character sequences, such as abcd or 1234.
• L33t speak, where numbers and symbols are used in place of letters; for example, 3 for e, @ for a, and
$ for s.
• Spatial patterns, which correspond to adjacent keys on a keyboard, such as qwerty or ujm.
The zxcvbn algorithm parses a password and identifies distinct pattern segments that can be guessed by
different password guessing methods. The algorithm then calculates the entropy for each segment, and
correlates that to the time it would take to guess the pattern.
The following table shows the pattern matching methods used by the zxcvbn algorithm and the resulting
entropy calculations for the password Rom#16:22GreetYou. Where the algorithm cannot find a pattern
match for a particular segment, the pattern is listed as None.
The entropy calculated for the entire password is the sum of the entropies for each segment plus the
configuration entropy. Configuration entropy refers to the additional entropy introduced by the number of
password segments and the way they are arranged.
Note: Passwords that would be considered strong by a traditional Lowercase Uppercase Digit Symbol
(LUDS) strength estimator might be rejected as too weak by zxcvbn.
GET /cluster/{id}/security/password/zxcvbn
The POST command can enable the zxcvbn password strength checker.
POST /cluster/{id}/security/password/zxcvbn
LDAP authentication
The Rubrik cluster uses LDAP to authenticate users who log in through the Rubrik CDM web UI welcome
screen.
The Rubrik cluster connects to one or more Lightweight Directory Access Protocol (LDAP) servers through
a service or bind account with read access. This account enables the Rubrik cluster to search information
about the user, such as email address and group membership. A base distinguished name (DN) will narrow
the search to a specific location within the LDAP directory tree. Search filters will identify specific groups or
users to further narrow the search.
The Rubrik CDM web UI requests LDAP server information in three stages:
• Credentials – Establishes the starting point of an LDAP directory search for a user who is trying to log in
to the Rubrik cluster.
• Servers, User and Group Settings – Servers require a list of one or more LDAP servers to search, and
user settings specify how Rubrik determines who is a user, and what attributes to use when mapping
users to the respective LDAP directory.
• Multifactor Authentication – Adds one or more factors to the basic authentication process, which
prevents unauthorized users from accessing the Rubrik cluster.
The Rubrik cluster uses the user management system to control authorization for authenticated users.
Related Concepts
LDAP Credentials
LDAP Credentials
LDAP Credentials establish the starting point of an LDAP directory search for a user who is trying to log in
to the Rubrik cluster.
The Rubrik cluster uses the parameters shown in the following table to search for information about
an authenticated user in the Lightweight Directory Access Protocol (LDAP) directory structure and to
authenticate a user. The LDAP or Active Directory administrator can suggest the actual values to use.
Parameter Description
Name used by the Rubrik cluster when referring to this LDAP integration. Users can
Domain or enter this name for the Domain when logging in on the welcome screen. Domain
Domain Display Display Name can be an alias for the domain that is easier to remember than the full
Name domain name.
This information is no case sensitive.
Base DN Indicates where to begin searching within the LDAP tree. If not specified, the Rubrik
cluster will begin searching at the root (defaultNamingContext).
Bind DN or User with read privileges that can be used to search the LDAP directory to obtain
Username information such as group membership.
Password Password for the account entered as the Bind DN or Username.
CA Certificates A .PEM format X.509 certificate is used either to validate an explicitly chosen TLS-
capable LDAP server, or when the LDAP server offers support for StartTLS.
The Rubrik cluster supports multiple LDAP domains; however, when a user provides a Domain or Domain
Display Name in the login screen, only that domain is searched for the user’s credentials.
The Rubrik cluster uses the LDAP information for authentication on the local Rubrik cluster only. To enable
LDAP authentication on another Rubrik cluster, log in to that Rubrik cluster and provide the required
information.
When an LDAP server cannot be reached, the Rubrik cluster rejects logins that authenticate against that
server. Until an LDAP server becomes available, the Users and Groups page will not show authorization for
any LDAP users or groups associated with that server.
Note: Unlike the Rubrik web UI, the Rubrik REST API does not authenticate using the Domain Display
Name value. For LDAP authentication through the Rubrik REST API, the server searches through all LDAP
users in the Organization.
LDAP Servers
The Rubrik cluster requires a list of one or more LDAP servers for connection security.
Lightweight Directory Access Protocol (LDAP) servers can be specified in two ways:
Note: If the field is empty, the Rubrik cluster is forced to connect using only the dynamic DNS name.
Context
Lightweight Directory Access Protocol (LDAP) is configured per directory as part of the LDAP directory
configuration. Enforce LDAP globally by enabling Time-based One-time Password (TOTP) globally, which
applies to all LDAP and local users.
Procedure
1. (If at least one RSA SecurID server has been configured) Select the RSA SecurID server to use for
multifactor authentication.
2. Click Add.
Result
The LDAP users are configured for multifactor authentication.
The Rubrik cluster provides local, LDAP and SAML/SSO authentication for Rubrik cluster user accounts.
Authentication restricts access to a specified set of users. Robust authentication prevents third parties from
representing themselves as legitimate users. Rubrik clusters support authentication with local usernames
and passwords as well as through Active Directory.
For local authentication, the Rubrik cluster validates the username and password typed in the login fields
against values in a database on the Rubrik cluster. the Rubrik cluster creates a session and assigns the role
and privileges of the user account to the session when the login information matches a user account in the
database.
For LDAP authentication, the Rubrik cluster determines whether to create a session by authenticating the
username and password typed in the login screen with an available LDAP directory server.
The Rubrik cluster attempts to authenticate the user account against the specified domain if a domain
or domain display name is specified during login. If the Rubrik cluster does not recognize the specified
domain, or if the user’s credentials are not valid for that domain, the login fails.
If the domain or domain display name field on the login screen is left empty, the Rubrik cluster searches
the local directory until it finds the username. If a match is not found in the local directory, the Rubrik
cluster searches all available LDAP domains. If a match is found, the Rubrik cluster assigns the role and
privileges of the user account to the session.
Most REST API endpoints accept Basic and Token (Bearer) types of authorization.
Authentication methods
The Rubrik cluster uses a variety of authentication methods.
This table describes the similarities and differences between the authentication methods.
Is the local admin account Yes The admin account is not created
created during installation? by the Rubrik cluster.
The admin user account has
the username ‘admin’ and the
Administrator role. The admin
user account cannot be deleted
or modified except to change the
password.
The password of the admin user
account in the Rubrik CDM web
Modified view for accounts with Rubrik cluster modifies the Rubrik Rubrik cluster modifies the
the end user role? CDM web UI view to show only RubrikCDM web UI view to show
the resources applicable to the only the resources applicable to
assigned privileges. the assigned privileges.
Display accounts with the No Yes No
Access role?
Performs group authentication? No Yes
Users log in using the credentials
of a user account who is a
member of the group. The Rubrik
cluster combines the privileges of
the user account for the session
with the privileges of all the
groups to which the user belongs.
Can the accounts change an Accounts with the Administrator Accounts with the Administrator
account role? role can change the role of role can change the role of
any other account, except the any other account, except the
local admin user account. If an local admin user account. If an
account’s role is changed to end account’s role is changed to an
user, at least one privilege must end user, at least one privilege
be assigned. must be assigned.
Can the accounts assign end user Requires Administrator role. Requires Administrator role.
privileges?
After creating an account, Change the user account role to
change the account role to assign assign privileges
privileges.
Can the accounts modify end user Requires Administrator role. Requires Administrator role.
privileges?
Procedure
1. Log in to the Rubrik CDM web UI as an admin user or a user with the Administrator role.
2. Click the gear icon.
3. Click Users.
Result
The Users and Groups page appears where you can view the authentication and authorization information
for accounts.
Role Privileges
Administrator role, including the read-only admin All privileges.
role and the infra admin role
End User role Specified privileges only. Included with versions of
Rubrik CDM earlier than 5.2.1.
No Access role No privileges and cannot start a web UI session.
After the initial cluster setup, assign roles to local or Active Directory user accounts according to the
privileges those user accounts require.
Procedure
1. Encode the string “{username}:{password}” using Base64.
Where {username} is the actual username and {password} is the actual password. The colon between
username and password is important, even if there is no password.
In this example, the username is “SpongeBob” and the password is “SquarePants”.
2. Prefix this string with the word Basic, resulting in “Basic {base64_value}”.
“Basic U3BvbmdlQm9iOlNxdWFyZVBhbnRzCg”
Result
A header key of Authorization is created, storing the previous in the value.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Open the User account menu and select API Token Manager.
The API Token Manager dialog box appears.
3. Click the plus icon at the top right of the dialog box.
The Generate API Token dialog box appears.
4. In Duration, type the number of days the token will be valid.
The default duration is 30 days.
5. In Tag, enter a name to distinguish this token from other tokens.
If no tag name is entered, the tag name will appear as API Token in the list of tokens.
6. Click Generate.
The Copy API Token dialog box appears.
7. Click Copy and store the API token for future use.
Result
The display shows a list of API token IDs along with the associated token tag names, expiration dates, and
last activity.
Context
These steps require an API token. See Generating an API token to create the API token.
Procedure
1. Open https://RubrikCluster/docs/internal/playground/
Where RubrikCluster is the resolvable hostname or IP address of the Rubrik cluster.
The Rubrik REST API Explorer appears.
2. Click Authorize.
The Available authorizations dialog box appears.
3. Paste the API Token in the Bearer section of the dialog box.
4. Click Authorize.
The Rubrik REST API Explorer opens a session and stores the session token.
Result
The authorized API token remains in place until it reaches the expiration date and time. The token is
invalidated after expiration.
Using a token for authorization changes the header construction slightly. The key remains Authorization,
but the value changes to using the word Bearer followed by the token.
For example, this token includes the word Bearer followed by the token joiN2NiNGIyN:
Prerequisites
If the Rubrik cluster has Time-based One-time Password (TOTP) enabled, tokens must be generated using
the Rubrik CDM web UI. They cannot be generated using PowerShell SDK or API.
Procedure
1. Log in to the PowerShell SDK.
2. At the PowerShell SDK prompt, type the New-RubrikAPIToken command.
An API request is being sent using the session information to generate a new API token. The payload
of the body is:
Body = {
“initParams”: {
“apiToken”: {
“tag”: “aws-us-west-1-lambda”,
“expiration”: 600
}
}
}
3. Send a GET request to /session with a query parameter containing a user ID value to receive a list
of API tokens.
Alternatively, issue the Get-RubrikAPIToken PowerShell function to retrieve all known tokens
based on the user ID of the current session.
Result
The PowerShell SDK generates a new token.
Procedure
Connect to the Rubrik cluster using the API token.
Type the Connect-Rubik command.
This example connects to the Rubrik cluster at 192.168.1.124 and uses the token parameter
"joiN2NiNGIyN".
Result
The Rubrik cluster returns a unique token that represents the user’s credentials. This token is used to
execute subsequent API requests with the PowerShell SDK.
Procedure
1. Connect to the Rubrik cluster using the API token.
2. Type the Remove-RubrikAPIToken command to accept the token ID value as the only parameter.
This example specifies token 7cb4b25c.
3. Optional: Use the -Force parameter to delete the token without confirmation. Include quotes and
commas to delete multiple tokens in a single command.
This is the syntax for multiple token IDs.
Remove-RubrikAPIToken -TokenId
("token1","token2")
Context
Delete an expired API token so that it cannot be used in REST API calls to the Rubrik cluster.
Note: Use caution when deleting an API token. Once the token is deleted, all REST API calls that use that
token will fail.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Open the account menu in the upper right corner and select API Token Manager.
The API Token Manager dialog box appears.
3. Open the ellipsis menu next to the API token to be deleted and select Delete.
The Delete API Token dialog box appears with a warning message about the consequences of deleting
the token.
4. Click Delete.
Result
The API token is removed from the list of API tokens.
Auditing provides a persistent record of actions performed by Rubrik cluster users, and can be used to
analyze user behavior and reconstruct a chain of events.
Rubrik clusters keep a log of events in an internal database. This event log can be viewed in the Rubrik
CDM web UI.
An audit trail is a record of user-initiated actions in a Rubrik cluster environment. Essentially, auditing
gathers the information to keep a record of who changed what and when.
User events are logged in the Rubrik activity log, along with all other cluster activities. Activity log
messages describe the current state of tasks on the local Rubrik cluster and furnish information about
every task that is started on the local Rubrik cluster over the past 90 days. Filtering the activity log to
display user events reconstructs a set of user activities.
At the application layer, the syslog transmissions use the HTTP protocol. Configuring syslog export rules
with TLS encrypts in-flight data sent to an external syslog server. The Rubrik cluster uses the standard
syslog protocol to format and transmit system notifications. The Rubrik cluster sets the syslog standard
protocol and port (UDP/514) at the transport layer by default. The transport layer protocol and port can be
configured to use custom settings.
The Rubrik cluster sends server messages to the syslog server according to how the facility or severity
levels are configured. The facility level represents the machine process that created the syslog event,
including general system processes such as the kernel, user operations, mail, and facilities for Rubrik-
specific logs. The severity level determines how severe the message is displayed in syslogs. The levels are
critical, warning, or informational.
Rubrik supports multiple forms of Public Key Infrastructure. Rubrik CDM supports x.509 certificate-based
authentication.
Rubrik supports RSA SecurID, DUO Two-Factor Authentication service, and x.509 certificate-based
authentication. Rubrik CDM version 5.1 supports all forms of Department of Defense (DoD) Public Key
Infrastructure (PKI) Common Access Card (CAC) and Homeland Security Presidential Directive (HSPD) 12.
Rubrik Support provides instructions for disabling support for TLS version 1.1.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
3. Click Certificate Management.
Result
The Rubrik cluster can now use the TLS certificate using the service configuration.
Related Tasks
Generating a CSR
A CSR authenticates a TLS certificate.
Prerequisites
Add certificates to the Rubrik cluster using the steps described in Importing a TLS certificate.
Context
The Rubrik cluster uses the current Transport Layer Security (TLS) certificate until the imported certificate
is specified.
Procedure
1. Select Cluster Settings from the gear icon.
The Cluster page appears with the Cluster Settings tab selected.
2. Click the X next to the certificate name under the Web Server Certificate heading to remove the
current certificate.
3. Select the new certificate from the list.
4. Click Update.
Result
The Rubrik cluster uses the new TLS certificate.
Context
Generating a Certificate signing Request (CSR) is the first step for importing a Transport Layer Security
(TLS) certificate with a private key that is managed by the Rubrik cluster. Once a CSR is generated, use
this CSR with the certificate authority (CA) to generate a TLS certificate. Specify the certificate type as CSR
to import this certificate into the Rubrik cluster.
After the CSR signing is complete, the signed certificate must be imported and configured.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
3. Click Certificate Management.
The Certificate Management page appears with the Certificates tab selected.
4. Click the CSRs tab.
The Certificate Management page changes to the Certificate Signing Request tab.
5. In the top right, click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Fill out the fields and click Generate.
The CSR appears.
7. Click Download.
The web browser saves the CSR to local storage as a text file.
Result
The downloaded or copied CSR can now be signed by a CA. Once the CSR has been signed, it can be
imported for use in the Rubrik cluster.
Related Tasks
Importing a TLS certificate
Import a TLS certificate to the Rubrik cluster to use the certificate with authentication workflows that
support TLS certificates.
Encryption restricts an unauthorized party's ability to read data. Data encryption can apply to data at
rest, which is stored in a persistent device such as a storage drive, or in flight, which is being transmitted
between devices.
Data that is transmitted between nodes in a secure cluster is encrypted with the Transport Layer Security
(TLS) protocol, preventing attackers from access to the transmitted data even when the transmission is
intercepted. Rubrik clusters secure data at rest with the Advanced Encryption Standard (AES) symmetric-
key algorithm, using a 256-bit key length (AES-256).
On hardware platforms with FIPS-140-2 certified self-encrypting drives, the Rubrik cluster utilizes
FIPS-140-2 certified encryption for at-rest encryption. The keys for these encryption features can be
managed internally within the appliance’s Trusted Platform Module (TPM) and archived as required by
operational policy. Or these keys can be managed off-box via Key Management Interoperability Protocol
(KMIP) to a KMIP-compliant key manager. However, archiving the Rubrik clutser encryption keys is the
responsibility of the centralized key manager in this situation.
Password encryption
The Rubrik cluster encrypts all user passwords.
Rubrik clusters do not store the passwords for local accounts. The password entered by a user is hashed
using the SHA-512 algorithm and the Rubrik cluster compares the resulting hash value to the stored hash
value for authentication.
The passwords to services external to the cluster are encrypted with AES-256.
Procedure
1. Log in to the Rubrik cluster web UI as the admin user or a user with the Administrator role.
2. Open the gear menu on the top bar of the web UI.
The gear menu appears.
3. Click System Configuration > Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click the Rotate Keys.
The One-Time Key Rotation dialog appears.
5. Optional: To rotate keys using an external KMIP server, select External Key Manager (KMIP-
compliant).
If the cluster was using the on-board TPM chip for key rotation, this option changes the key rotation
method.
Note: Before using a KMIP server to rotate encryption keys, configure Rubrik with the server
information according to the procedure in Setting up a KMIP server.
6. Optional: To rotate keys using the on-board TPM chip, select Internal Key Manager (Rubrik TPM). If
the cluster was using a KMIP server for key rotation, this option changes the key rotation method.
Note: Changing the key rotation method requires restarting all nodes in the cluster. These restarts
stop any currently running jobs.
7. Optional: Select the checkbox to enable Rubrik to retain a copy of the encryption keys..
Note: Without a copy of the encryption keys, Rubrik cannot assist with certain recovery scenarios.
8. Click Continue.
Rubrik rotates the key-encryption keys (KEKs) and, where applicable, Self-Encrypting Drives (SED)
passwords on the cluster.
Procedure
1. Log in to the Rubrik web user interface (UI) with administrative user credentials.
2. Open the gear menu on the top bar of the web UI.
The gear menu appears.
3. Click System Configuration > Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click the KMIP Settings tab.
A list of Key Management Interoperability Protocol (KMIP) servers configured for the cluster appears.
5. Click Configure Client Settings.
Context
Perform these steps to generate a certificate signing request.
Procedure
1. From the KMIP Settings tab, click Generate Certificate Request.
The Certificate Signing Request dialog appears.
2. Enter the username for the Key Management Interoperability Protocol (KMIP) server and click
Generate.
The Certificate Signing Request appears.
3. Click Download to download the Certificate Signing Request as a text file.
The Certificate Signing Request must be signed by a trusted certificate authority.
Context
Follow the instructions in the Vormetric DSM Administration Guide. Generally, configuring the Vormetric
DSM for the Rubrik cluster includes these steps:
Procedure
1. Enable TLS 1.2 support.
2. Configure licenses on the DSM to enable KMIP.
3. Create a domain on the DSM with KMIP enabled.
4. Within the new domain, add a host for the Rubrik cluster using an FQDN with A or CNAME records
pointing to the Rubrik nodes. Make a note of the FQDN in a safe place.
5. For client certificate authentication, ensure that the Password attribute is Generate.
6. Retrieve the Server Certificate from the DSM using a web browser (Windows) or OpenSSL (Linux).
Procedure
1. Log in to the Rubrik CDM web UI with administrative user credentials.
2. Open the gear menu on the top bar of the web UI.
The gear menu appears.
3. Click System Configuration > Manage Encryption.
The Manage Encryption page appears with the Key Rotation Status tab selected.
4. Click KMIP Settings.
5. For Client Authentication Mode, select Client Certificate Only.
6. Click Generate CSR.
7. When prompted, enter the same case-sensitive fully qualified domain name (FQDN) ntered in
Configuring the Vormetric DSM.
8. Download the certificate signing request (CSR).
9. Submit the CSR to an internal or public enterprise certificate authority (CA).
10. Retrieve the signed, 2048-bit or higher, TLS certificate.
Procedure
1. In the Vormetric DSM, locate the Rubrik host created in Configuring the Vormetric DSM and click
Import KMIP Key.
2. In the Username field, enter the same case-sensitive FQDN from Configuring the Vormetric DSM.
3. Paste the signed TLS client certificate in the Client Certificate field.
4. Enter the fully-qualified domain name (FQDN) or IP address of the Vormetric DSM in the Server field.
5. Enter 5696 in the Port field.
6. Paste the Vormetric DSM server certificate in the Server Certificate field.
7. Click Update.
Procedure
1. Generate an API token.
2. Retrieve the encryption status of the Rubrik cluster.
In a UNIX shell, use the following command.
Where
• api_token is the token generated in step 1.
• rubrik_cluster is the IP address of the Rubrik cluster
{"isEncrypted":true,"cipher":"AES","keyLength":256}
{"isEncrypted":false}
Related Tasks
Generating an API token
Generate an API token for use in REST API scripts that run on the Rubrik cluster.
This section provides a standard hardening procedure for the Rubrik CDM product.
The hardening steps for a Rubrik CDM product to comply with all United States Government security
standards. Specifically, these steps configure the product to comply with the Defense Systems Agency
(DISA) Security Template Implementation Guides (STIGs) and Security Readiness Reviews (SRGs).
The steps should be evaluated prior to implementation. Increasing the security of a product often
decreases its ease of use. For example, complex passwords are much more safe, but require an extra
effort on the side of the user. These steps should be performed only by user who understand the
implications of each step.
The hardening requirements in this section are general in nature and should be applied to all CDM
installations regardless of customer segment that the product is deployed into.
The requirements to harden a high-security system are described in Hardening requirements for a high-
security system.
For customers that are implementing hardening the system due to a regulation, Rubrik also provides a
complete STIG and SRG assessment to all customers at no extra charge. This assessment is focused on an
auditor’s requirements when attempting to assess the security of the system.
Your Rubrik sales representative can provide access to this assessment.
Context
User events are logged in the Rubrik cluster activity log, along with all other cluster activities. To
reconstruct a set of user activities, filter the activity log to display user events.
Procedure
1. Log in to the Rubrik CDM web UI
2. Click the gear icon on the top bar of the Rubrik CDM web UI
The gear menu appears.
3. Click Notification Settings.
4. On the tab bar, click Syslog.
The Syslog page appears.
5. Verify the notification settings.
Result
The Rubrik appliance is configured to send logs to a central audit server.
To configure the default timeout of the cluster to a new value, submit a support ticket and request that the
webSessionTimeoutMinutes value in crystal be updated with the new value. Issue the following
command from the Rubrik cluster CLI to determine the current value for webSessionTimeoutMinutes:
After making these changes, login in and verify that the timeout settings have taken effect.
Context
Local authentication must be used only as a fallback mechanism to access the Rubrik cluster when Active
Directory is unreachable.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Select the gear icon.
3. Select Users from the Access Management category.
The User Management page appears with the Users and Groups tab selected.
4. Select the LDAP Servers tab.
5. Verify the appropriate domain is configured.
Context
The Rubrik cluster uses the Transport Layer Security (TLS) protocol with certificate-based mutual
authentication for secure communication for all intra-node and inter-cluster communication, as well as
communication with external applications. Rubrik CDM uses TLS 1.2 for all internal communications, but
uses TLS 1.1 when other applications do not support TLS 1.2.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the Rubrik CDM web UI
The gear menu appears
3. Click Certificate Management
The Certificate Management page appears with the Certificates tab selected
4. Examine the properties of the certificate listed to ensure that the Rubrik cluster self-signed certificate
was replaced with a certificate generated by the customer’s environment.
Note: Retention locks are globally disabled on the cluster by default. Contact Rubrik Support to enable
retention locks within the Rubrik UI.
Once enabled, the Rubrik UI includes a toggle labeled Retention Lock in the upper corner of each Create
SLA Domain dialog window.
Once enabled globally, retention locks must be enabled explicitly on each SLA Domain that requires
protection. Retention locks can be enabled during SLA Domain creation, or they can be added to existing
SLA Domains which apply the protection and restrictions retro-actively.
Once enabled, retention locks introduce a number of security features.
• A factory reset of the cluster or node cannot be performed. A common attack vector attempts to
perform a factory reset on the appliance to wipe out backup data, which is impossible to do without
Security banner
The Rubrik cluster can display a custom notice that must be acknowledged before login is permitted.
The Rubrik cluster security banner can include custom text for an authorized-use agreement. The message
text can be formatted as plain text or can use standard HTML markup.
The Rubrik cluster also includes configurable top and bottom page banners in the web UI. The banner text
and the banner background color can be configured.
Procedure
1. Log in to the Rubrik CDM web UI using the admin account.
2. Click the gear icon.
3. Click Cluster Settings.
The Cluster Settings page appears.
4. In Login Banner Text, enter the login notice text.
Archive storage
Most malicious attack vectors focus on external archive locations before attacking the local snapshot data
when data management products are targeted.
Data that is archived is no longer on the Rubrik cluster once it is archived. A customer's security practices
must protect archived data from malicious attack vectors. It is critical that customers follow the best
practices to secure the archive locations, particularly if the CloudOut feature is being used with the Rubrik
cluster to archive snapshots for long term retention,
Context
Perform these steps on all nodes of the cluster. Each step requires typing the IPMI password after
submitting the command.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
The gear menu appears.
3. Click IPMI credentials.
The IPMI Credential screen appears with the Configure IPMI tab selected.
4. Select the IPMI Password tab.
5. Enter, then reenter a password.
6. Click Update.
The Rubrik cluster updates the IPMI password.
7. Connect to a node that has the ipmitool installed using SSH.
8. Type this command to list the IPMI users.
Result
The IPMI user is added.
Procedure
1. Connect to a node that has the ipmitool installed using SSH.
2. Use the ipmitool utility to verify the IPMI user account is logged into the system.
This example displays the IDs of the users currently logged in to the system.
Result
The IPMI interface is verified.
Procedure
1. Connect to a node that has the ipmitool installed using SSH.
2. Type this command to disable the ADMIN user from IPMI interface.
Where Rubrik_node_IPMI_IP is the IPMI IP address for the Rubrik cluster node.
3. Optional: Type this command to verify the ADMIN user is disabled from the command line.
If the ADMIN user is disabled, this command results in a message stating "Error: Unable to establish
IPMI v2 / RMCP+ session".
4. Optional: Verify the ADMIN user is disabled from the GUI.
a) Log into the IPMI site for each node with the IPMI user ID.
The syntax is https://Rubrik_node_IPMI_IP.
b) Type this command to verify the ADMIN user is disabled.
If the ADMIN user is disabled, this command results in a message stating "Error: Unable to
establish IPMI v2 / RMCP+ session".
Result
The IPMI ADMIN user is disabled from the Rubrik cluster to harden access security.
Procedure
1. Log into the IPMI site for each node with the IPMI user ID.
The syntax is https://Rubrik_node_IPMI_IP.
2. Click Configuration > Port.
3. Uncheck Virtual media port.
4. Click Save.
5. Click Miscellaneous > SMC RAKP.
Result
The IPMI ADMIN user is disabled from the Rubrik cluster.
Penetration testing tools may still return a hash for an IPMI user. However, these tools will not display the
user name if the passwords are strong.
After the secure multiparty computation (SMC) remote authenticated key-exchange protocol (RAKP) is
enabled (or the RAKP is disabled), the Rubrik cluster no longer receives IPMI responses from ipmitool.
Instead, use SMCIPMITOOL to execute commands. The IPMI documentation describes SMC RAKP.
Harden encryption
The Rubrik node should be configured with encryption to protect the confidentiality and integrity of all
information at rest.
The Rubrik cluster supports native encryption using an on-board TPM chip and customer-managed
encryption using the KMIP protocol on hardware-based appliances that support this configuration. The
Rubrik cluster uses TLS to encrypt UI and REST API traffic with a default, self-signed certificate.
Procedure
1. Log in to the Rubrik CDM web UI.
2. On the left-side menu, select Dashboard > System Performance.
The System Performance page appears.
3. Click the name of a node.
The node information page appears.
4. Verify that all disks include the image of a lock next to them, indicating they are configured for
encryption.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
The gear menu appears.
3. Click Certificate Management.
The Certificate Management page appears with the Certificates tab selected.
4. Verify the certificates are for TLS 1.1 or higher.
Result
The certificates are signed by a trusted certificate authority (CA).
Context
The certificate signing request (CSR) is available on the Rubrik cluster and on the local storage of the
computer used to generate the CSR.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
The gear menu appears.
3. Click Certificate Management.
The Certificate Management page appears with the Certificates tab selected.
4. Click the CSRs tab.
The Certificate Management page changes to the Certificate Signing Request tab.
5. In the top right, click Generate CSR.
The Generate Certificate Signing Request dialog box appears.
6. Fill out the fields and click Generate.
The CSR appears.
7. Click Download.
Result
The web browser saves the CSR to local storage as a text file.
Task Description
Configure the Rubrik cluster to authenticate users. Rubrik supports both local authentication and
authentication with Active Directory.
Configuring for active directory authentication
described how to use an enterprise identify
management solution to authenticate users.
Configure the Rubrik appliance to use a secondary The Rubrik cluster supports both RSA, Duo,
authentication mechanism. and DoD PKI CAC x.509 certificates. Verify the
appropriate domain is configured.
Verify the Rubrik cluster encrypts all information at The Rubrik cluster must be configured with
rest. encryption to protect the confidentiality and
integrity of all information at rest. Harden
encryption describes how to configure the Rubrik
cluster with encryption.
Update the value for Web session timeouts. The value for webSessionTimeoutMinutes
must be up-to-date. Configuring this value is
described in Updating the value for a Web session
timeout.
Review the process for shutting down a Rubrik The Rubrik cluster administrator must be familiar
node. with the steps to shut down a node immediately
during an attack.
The Rubrik CDM Hardware Guide includes
information about shutting down a node.
Verify successful logins are displayed in the log. Successful logins must be displayed in the Rubrik
cluster log. The steps for configuring the log
are described in Verifying successful logins are
displayed in the log.
Verify the Rubrik cluster includes an emergency The Rubrik cluster must not contain any local
account. accounts other than an emergency account.
Configuring an emergency account is described in
Verifying an emergency account.
Context
The value for a Web session timeout is determined with the webSessionTimeoutMinutes parameter.
Procedure
1. SSH to the Rubrik appliance using the admin account.
Result
The Rubrik CLI updates the value for webSessionTimeoutMinutes.
Context
The default time zone used by a Rubrik cluster is the Coordinated Universal Time (UTC) time zone. If the
cluster is set to a different time zone, reset it to use UTC.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the web UI.
The gear menu appears.
3. Click Cluster Settings.
The Cluster Settings page appears.
4. In Cluster Time Zone, select the UTC time zone for the Rubrik cluster.
5. Click Update.
Result
The Rubrik cluster uses UTC.
Context
CAs approved by the DOD allow users to securely communicate with the DoD and authenticate to DoD
Information Systems.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the Rubrik CDM web UI.
The gear menu appears.
3. Click Certificate Management.
The Certificate Management page appears with the Certificates tab selected.
4. Verify if the certificates are DoD approved by examining the properties of each of the listed
certificates.
Context
A Department of Defense (DoD)-approved banner indicates the Rubrik cluster is formatted in accordance
with DTM-08-060 to and meets DoD standards.
Procedure
1. Log in to the Rubrik CDM web UI.
The gear menu appears.
2. Click the gear icon on the top bar of the web UI.
The gear menu appears.
3. Click Cluster Settings.
The Cluster Settings page appears.
4. In Login Banner Text, enter the Dod-approved login notice text.
5. Click Update.
Result
The Rubrik cluster UI displays the DoD0-approved banner.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the web UI.
The gear menu appears.
3. Click Users.
The Users page appears.
4. Verify there is at least one account with the Administrator Role.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the globe icon on the top bar of the Rubrik CDM web UI.
The recent messages list of the Activity Log appears.
3. On the recent messages list, click See all.
The Activity Log page appears.
4. Scroll the page to see the activity log.
5. Optional: Click Filter Status to select successful logins.
Result
The Activity Log displays all successful log ins.
Procedure
1. Log in to the Rubrik CDM web UI.
2. Click the gear icon on the top bar of the web UI.
The gear menu appears.
3. Click Users.
The Users page appears.
4. Verify the only local account is an emergency account.