Dell EMC Data Protection Central...Data Protection Central has a default security profile for secure http access. However, you can replace the security certificate. Security Quick

Dell EMC Data Protection CentralVersion 19.1

Security Configuration Guide302-005-568

REV 01

Copyright © 2017-2019 Dell Inc. or its subsidiaries. All rights reserved.

Published March 2019

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND

WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF

MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED

IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.

Published in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Data Protection Central 19.1 Security Configuration Guide

Preface 5

Security Quick Reference 9Deployment models.....................................................................................10

Open Virtualization Appliance deployment..................................... 10Physical or virtual server deployment.............................................10

Security profiles..........................................................................................10

Product and Subsystem Security 11Security controls map................................................................................. 12Authentication.............................................................................................13

Login security settings................................................................... 13Authentication types and setup considerations.............................. 15User and credential management...................................................23Authentication to external data protection systems...................... 25

Authorization..............................................................................................26Network security ....................................................................................... 26

Network exposure..........................................................................27Modify the Data Protection Central firewall to use a non-standardport ...............................................................................................29

Data security.............................................................................................. 30Lockbox.........................................................................................30

Cryptography............................................................................................. 30Certificate management.................................................................31

Auditing and logging................................................................................... 32Serviceability..............................................................................................33

Security patches............................................................................33Data Protection Central OS update............................................... 33

Product code integrity ...............................................................................34

Federal standards and compliance 35STIG compliance........................................................................................ 36Internet Protocol version 6.........................................................................38VPAT accessibility features........................................................................ 38

Screen reader support................................................................... 38Keyboard navigation...................................................................... 38

Miscellaneous Configuration and Management 45Licensing.................................................................................................... 46Protect authenticity and integrity ..............................................................46Perform backups and restores of Data Protection Central......................... 46Embedded component usage .....................................................................46

Chapter 1

Chapter 2

Chapter 3

Chapter 4

CONTENTS

Data Protection Central 19.1 Security Configuration Guide 3

CONTENTS


Preface

As part of an effort to improve product lines, periodic revisions of software andhardware are released. Therefore, all versions of the software or hardware currently inuse might not support some functions that are described in this document. Theproduct release notes provide the most up-to-date information on product features.

If a product does not function correctly or does not function as described in thisdocument, contact a technical support professional.

Note

This document was accurate at publication time. To ensure that you are using thelatest version of this document, go to the Support website https://www.dell.com/support.

PurposeThis document includes information about security features and capabilities of DataProtection Central.

AudienceThis document is intended for individuals who are responsible for managing securityfor Data Protection Central.

Revision historyThe following table presents the revision history of this document.

Table 1 Revision history

Revision Date Description

01 May 2019 Release of the Data Protection Central 19.1 SecurityConfiguration Guide.

Related DocumentationFor information about Data Protection Central compatibility, refer to the DataProtection Central Release Notes.

The Data Protection Central documentation set includes the following publications:

l Data Protection Central Getting Started Guide

l Data Protection Central Security Configuration Guide

l Data Protection Central Release Notes

l Data Protection Central Administration Guide

The documentation for the following products includes more information:

l Avamar

l Data Domain

l Search

l Data Protection Advisor

l NetWorker

Preface 5

https://www.dell.com/support


Special notice conventions that are used in this documentThe following conventions are used for special notices:

NOTICE

Identifies content that warns of potential business or data loss.

Note

Contains information that is incidental, but not essential, to the topic.

Typographical conventionsThe following type style conventions are used in this document:

Table 2 Style conventions

Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.

Italic Used for full titles of publications that are referenced in text.

Monospace Used for:

l System code

l System output, such as an error message or script

l Pathnames, file names, file name extensions, prompts, andsyntax

l Commands and options

Monospace italic Used for variables.

Monospace bold Used for user input.

[ ] Square brackets enclose optional values.

| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.

{ } Braces enclose content that the user must specify, such as x, y, or z.

... Ellipses indicate non-essential information that is omitted from theexample.

You can use the following resources to find more information about this product,obtain support, and provide feedback.

Where to find product documentation

l https://www.dell.com/support

l https://community.emc.com

Where to get supportThe Support website https://www.dell.com/support provides access to productlicensing, documentation, advisories, downloads, and how-to and troubleshootinginformation. The information can enable you to resolve a product issue before youcontact Support.

To access a product-specific page:

Preface



https://community.emc.com


1. Go to https://www.dell.com/support.

2. In the search box, type a product name, and then from the list that appears, selectthe product.

KnowledgebaseThe Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, KB000xxxxxx) or by keyword.

To search the Knowledgebase:


2. On the Support tab, click Knowledge Base.

3. In the search box, type either the solution number or keywords. Optionally, youcan limit the search to specific products by typing a product name in the searchbox, and then selecting the product from the list that appears.

Live chatTo participate in a live interactive chat with a support agent:


2. On the Support tab, click Contact Support.

3. On the Contact Information page, click the relevant support, and then proceed.

Service requestsTo obtain in-depth help from Licensing, submit a service request. To submit a servicerequest:


2. On the Support tab, click Service Requests.

Note

To create a service request, you must have a valid support agreement. For detailsabout either an account or obtaining a valid support agreement, contact a salesrepresentative. To get the details of a service request, in the Service RequestNumber field, type the service request number, and then click the right arrow.

To review an open service request:


2. On the Support tab, click Service Requests.

3. On the Service Requests page, under Manage Your Service Requests, clickView All Dell Service Requests.

Online communitiesFor peer contacts, conversations, and content on product support and solutions, go tothe Community Network https://community.emc.com. Interactively engage withcustomers, partners, and certified professionals online.

How to provide feedbackFeedback helps to improve the accuracy, organization, and overall quality ofpublications. You can send feedback to [email protected].

Preface

7






https://community.emc.com

mailto:[email protected]

Preface


CHAPTER 1

Security Quick Reference

Topics include:

l Deployment models............................................................................................ 10l Security profiles................................................................................................. 10

Security Quick Reference 9

Deployment modelsYou can deploy Data Protection Central as an OVA in VMware environments or witha .jar file on a Linux operating system in a physical or virtual server that is not hostedby VMware.

Open Virtualization Appliance deploymentIf you have VMware vSphere virtual machine environment, it is recommended that youdeploy Data Protection Central as an Open Virtualization Appliance (OVA).

The OVA deployment model includes a pre-configured bundle with the Data ProtectionCentral software and the Linux operating system that the Data Protection Centralsoftware runs on.

The OVA environment also includes a pre-configured firewall that is tuned to the DataProtection Central communication needs with the monitored systems.

The OVA is deployed with an OVF template file. Refer to the VMware documentationfor specific information regarding how to deploy an OVA or OVF template.

The Data Protection Central Getting Started Guide provides information on deployingData Protection Central as an OVA.

Physical or virtual server deploymentData Protection Central is also available as a self-extracting JAR file with a set ofLinux RPM files.

This alternative deployment model is useful if you do not have access to a VMwarevSphere virtual machine environment. You can deploy Data Protection Central withthis method on a Linux server running a compatible version of SUSE Linux EnterpriseServer.

The Data Protection Central Getting Started Guide provides information on deployingData Protection Central on a physical or virtual machine that is not hosted byVMware.

Security profilesData Protection Central has a default security profile for secure http access.However, you can replace the security certificate.

Security Quick Reference


CHAPTER 2

Product and Subsystem Security

Topics include:

l Security controls map.........................................................................................12l Authentication.................................................................................................... 13l Authorization..................................................................................................... 26l Network security ...............................................................................................26l Data security......................................................................................................30l Cryptography.....................................................................................................30l Auditing and logging...........................................................................................32l Serviceability......................................................................................................33l Product code integrity ...................................................................................... 34

Product and Subsystem Security 11

Security controls mapData Protection Central runs on virtual servers, supporting NetWorker and Avamarservers and Data Domain backup targets.

Each Avamar system uses a Data Protection Central adapter to send alerts and eventsto RabbitMQ, which is the message queue system.

For NetWorker, Data Protection Central connects to the RabbitMQ on the NetWorkerserver to receive job activity events information.

The Data Protection Central monitoring service saves the alert and event data fromRabbitMQ to the MongoDB database.

The Data Protection Central UI provides a centralized location for monitoring of alertsand events as well as providing management capabilities.

All system credentials are stored within the Data Protection Central secure storage.

The following figure displays the Data Protection Central security controls map.

Figure 1 Data Protection Central security controls map



AuthenticationLearn about authentication in Data Protection Central.

Login security settingsData Protection Central includes login security settings.

Access controlAccess control settings provide protection of resources against unauthorized access.

Default user accounts

Data Protection Central includes three default user accounts.

Local user accountData Protection Central provides a single default local administrative user account.

The username of this internal account is [email protected].

The local administrator has access to all operations in the Data Protection Central webuser interface and access to all external systems that can be launched from DataProtection Central.

The first time you log into Data Protection Central, you must use [email protected] username. You are prompted to change the default password.

Operating system admin user accountThe Linux system administrator can log into Data Protection Central using a secureshell (ssh) for system administration and maintenance.

This default account is only bundled with OVA deployments.

Operating system root accountAfter logging into Data Protection Central with ssh as the system administrator,switch to the root user to have administrative access to files and directories on theData Protection Central operating system.

This default account is only bundled with OVA deployments.

External user accounts

When an LDAP or Active Directory (AD) server is connected to Data ProtectionCentral, you can grant additional accounts the Data Protection Central administratorrole by adding them to the Data Protection Central administrative group provided inthe ldap.properties file.

Each of these administrator accounts added through LDAP or AD will have fullauthorization and access to all Data Protection Central functions. Data ProtectionCentral also supports custom dashboard settings for each administrator account.


Authentication 13

Failed login behaviorData Protection Central includes security settings for when there are multipleunsuccessful authentication occurrences.

Local user account lockout

After five consecutive failed attempts to login to the local user account, DataProtection Central temporarily locks out the user for a period of five minutes.

Any attempts to login during the lockout period causes the lockout timer to reset backto five minutes.

To end the temporary lockout, restart the ELG service.

To restart the ELG service, run the following commands:

1. service msm-elg stop

2. service msm-elg start

Operating system user account lockout

If you make three consecutive failed SSH login attempts for the operating system useraccount, that account is temporarily locked out of the Data Protection Central Linuxoperating system for a period of five minutes.

You are unable to log in to the Data Protection Central Linux operating system withthis account during the lock-out period, even with the correct password. However,you can log in with a different user account.

Automatic session timeoutEach account has an automatic timeout setting

SSH and console session timeout

After 600 seconds of inactivity, connections to Data Protection Central made throughSSH and the console, for OVA deployments, are automatically terminated.

This timeout does not apply to login sessions to the Data Protection Central web userinterface, which has a different timeout interval and mechanism.

Idle browser session timeout

By default, after 20 minutes of inactivity, the Data Protection Central session timesout and you are automatically logged out.

Modify the idle browser session timeout settingProcedure

1. Open the application.properties file located in /usr/local/dpc/lib/elg/for editing.

2. Add the following entry to the application.properties file:

server.session.timeout=X

Where X is the idle timeout value in seconds.

The minimum idle timeout value is 120 (2 minutes) and the maximum is 1800 (30minutes).



3. Save and close the application.properties file.

4. Restart the msm-elg service using the following command:

service msm-elg restart

Authentication types and setup considerationsLearn about Single-Sign ON (SSO) authentication and setup considerations in DataProtection Central.

Internal account SSO authenticationData Protection Central uses Single-Sign On (SSO) authentication for the local useraccount (if SSO is not disabled).

External LDAP or AD account SSO authenticationData Protection Central supports lightweight directory access protocol (LDAP) andActive Directory (AD).

Data Protection Central can authenticate users against directory servers, such asWindows Active Directory, using LDAP or LDAPS. Authentication against an LDAPserver simplifies management because you do not need a separate set of credentialsfor Data Protection Central administration.

After you configure LDAP authentication, you can log into the Data Protection Centralweb console with any LDAP or AD account. Data Protection Central performs SSOauthentication for external users and internally validates credentials and user authoritywith the LDAP or AD server.

The Data Protection Central Getting Started Guide provides instructions on configuringLDAP or AD during or after deploying Data Protection Central.

Configuring LDAPLearn about LDAP requirements and configuration procedures.

Data Protection Central supports OpenLDAP and Active Directory (AD)authentication.

You can configure LDAP during or after deploying Data Protection Central.

The Troubleshooting chapter in the Data Protection Central Administration Guideprovides detailed troubleshooting information on diagnosing and resolving commonLDAP configuration issues.

Note

LDAP without TLS protocol communicates in clear text without encryption. SecureLDAP (LDAPS) does not support communication in clear text. When you configureLDAP without TLS, to improve security, it is recommended that you use a segmentednetwork containing only the LDAP server and the Data Protection Central server.

Configure LDAP or AD user access

Before you configure Lightweight Directory Access Protocol (LDAP) or WindowsActive Directory (AD), configure the users who will access Data Protection Central.

Perform this procedure on the server that hosts Lightweight Directory AccessProtocol (LDAP) or Windows Active Directory (AD).


Authentication types and setup considerations 15

Procedure

1. Create an administrative user group that will contain the users who can accessData Protection Central.

The following list describes the default containers, according to theconfiguration type:

l For Lightweight Directory Access Protocol (LDAP), the default user group isthe OU=People folder.

l For Windows Active Directory (AD), the default user group is the OU=Usersfolder.

2. For AD accounts only, set the user group scope setting to Global.

Note

Users who are part of this group are granted administrative privileges to DataProtection Central and the system management applications for any systemsadded to Data Protection Central, including Single-Sign On access.

3. Add any users that require access to Data Protection Central to the user group.

Prepare to add LDAP or AD to the Data Protection Central system

Before you add LDAP or AD, you must access the Data Protection Central system andstop the services.

Procedure

1. Login to the Data Protection Central system using SSH.

2. To switch to the root user, type the following command:

su -

3. To stop the Data Protection Central services, type the following command:

/usr/local/dpc/bin/dpc stop

After you finish

Create or edit the ldap.properties file in the /var/lib/dpc/elg/ folder tospecify the values that are specific to the environment.

Create an LDAP properties file

Learn how to create an LDAP properties file.

The LDAP properties file must match the exact file name of ldap.properties andbe located in the /var/lib/dpc/elg/ directory.

Note

To quickly create an LDAP properties file, it is recommended that you copy the LDAPproperties template file located at /usr/local/dpc/lib/elg/conf/ldap.properties.example into /var/lib/dpc/elg/ldap.properties.



The following table describes the attributes that you can specify in the LDAPproperties file.

Table 3 LDAP properties file attributes

Attribute Description Examples

elg.ldap.type Required.Specifies the type of LDAP environment.Specify either LDAP or AD.

elg.ldap.type=LDAP

elg.ldap.type=AD

elg.ldap.server.urls Required.Specifies the URL of the server where LDAP ishosted. Type the URL in the following format:

{ldap | ldaps}://<hostname>:<port>

elg.ldap.server.urls=ldap://ldap.dpc.local:389/

elg.ldap.server.urls=ldaps://ldap.dpc.local:636/

elg.ldap.base.dn Required.Specifies the domain base distinguished nameof the LDAP server.

elg.ldap.base.dn=dc=dpc,dc=local

elg.ldap.admin.dn Required.Specifies the administrative username in thebase distinguished name format.

For example:LDAP:

elg.ldap.admin.dn=uid=admin,ou=people,dc=dpc,dc=local

Active Directory:

elg.ldap.admin.dn=cn=administrator,dc=abc,dc=xyz,dc=com

or, alternatively:

[email protected]

elg.ldap.admin.password Required.Specifies the password for the administrativeuser.

After you save the file and restart the DataProtection Central services, the password isstored in the lockbox and removed from theldap.properties file.

elg.ldap.admin.password=changeme1

or, if the password contains Java specialcharacters, escape the special character witha backslash \:

For example, if the password is change\me1,enter it like this:

elg.ldap.admin.password=change\\me1



Table 3 LDAP properties file attributes (continued)

Attribute Description Examples

elg.ldap.group.search.name Required.Specifies the user group name that containsthe users who require access to DataProtection Central.

If you do not specify this attribute, the defaultvalue of dp_admin is used.

For example, if the distinguished name of thegroup is cn=backupadmins, ou=groups,dc=dpc, dc=local, specify the group name

with the following entry:

elg.ldap.group.search.name=backupadmins

elg.ldap.group.search.base Optional.Specifies the distinguished name of theadministrator user group on the LDAP server.

NOTICE

Do not specify this attribute unless there areduplicate entries of the group name on theLDAP or AD server. If you specify this attributewhen there is a single instance of a group, userauthentication may fail.

If the group name specified withelg.ldap.group.search.name is

duplicated on the LDAP or AD server, then youmust specify this attribute for Data ProtectionCentral to identify the correct instance of thegroup name.

When there is only one instance of the groupname, Data Protection Central automaticallylocates the group on the LDAP or AD server.

For example, consider the following scenario.

The LDAP server has two BackupAdminsgroups in different locations. The groups havethe following distinguished names:

l cn=backupadmins,ou=groups,dc=dpc,dc=local

l cn=backupadmins,ou=groupcontainer,dc=dpc,dc=local

You want to use the group located in thegroupcontainer folder. Data Protection

Central.

In this scenario, specify:

elg.ldap.group.search.base=ou=groupcontainer

Special characters in admin username and passwordIf the Admin username or password in the ldap.properties file incorporates Javaspecial characters, they must be escaped by a \ (backslash).

Example 1 Admin username example

If the Admin username in the ldap.properties file uses the domain\usernameformat, the following example would be incorrect because it omits the escapecharacter (a backslash):

elg.ldap.admin.dn=dpc.local\administrator

The correct syntax includes the \ escape character:

elg.ldap.admin.dn=dpc.local\\administrator

Example 2 Admin password example



Example 2 Admin password example

If the Admin password incorporates a Java special character, the following examplewould be incorrect:

elg.ldap.admin.password=password1\

The correct syntax would be:

elg.ldap.admin.password=password1\\

Supported Java special charactersTable 4 on page 19 provides examples of Java special characters that you mustescape by using a backslash.

Table 4 Examples of Java special characters

Special characters escaped by \ Display

\' Single quotation mark

\" Double quotation mark

\\ Backslash

\t Tab

\b Backspace

\r Carriage return

\f Formfeed

\n Newline

Examples of the LDAP properties file

Consider the following examples of the LDAP property file.

Example 3 Example LDAP properties file

elg.ldap.type=LDAPelg.ldap.server.urls=ldaps://dpc.local.domain.com:636/elg.ldap.base.dn=dc=local,dc=domain,dc=comelg.ldap.admin.dn=uid=Admin,ou=People,dc=local,dc=domain,dc=comelg.ldap.admin.password=PgK17y5*elg.ldap.group.search.name=dp_admin

Example 4 Example LDAP properties file for active directory



Example 4 Example LDAP properties file for active directory (continued)

elg.ldap.type=ADelg.ldap.server.urls=ldap://dpc.corp.domain.com:389/elg.ldap.base.dn=dc=corp,dc=domain,dc=comelg.ldap.admin.dn=cn=Administrator,cn=Users,dc=sddc,dc=localelg.ldap.admin.password=4tHgI8fLelg.ldap.group.search.name=dp_admin

Finish adding LDAP or AD and log in to the Data Protection Centraluser interface

After you add the ldap.properties file, perform the following steps to complete theLDAP configuration.

Procedure

1. To assign administrator ownership on the ldap.properties file, type the followingcommand:

chown admin:admin /var/lib/dpc/elg/ldap.properties

2. To set the protection of the ldap.properties file, type the following command:

chmod 644 /var/lib/dpc/elg/ldap.properties

3. To restart Data Protection Central and activate the change, type the followingcommand:

/usr/local/dpc/bin/dpc start

4. Once Data Protection Central is started, type the following command toconfirm that all of the services are active:

/usr/local/dpc/bin/dpc status

5. Launch a web browser and navigate to the Data Protection Central addressusing the fully qualified domain name.

For example:

https://dpc.local.com

6. Log in to the Data Protection Central user interface with the credentials for theLDAP user account.



Add a secure LDAP (LDAPS) certificate

Learn how to add a secure LDAP (LDAPS) certificate.

Secure LDAP (LDAPs) uses TLS, and therefore requires certificate-basedauthentication.

If the LDAP server that authenticates Data Protection Central credentials uses a non-standard certificate authority, you must add the root certificate of the authority thatsigned the LDAP server certificate to the Data Protection Central keystore.

Data Protection Central automatically uses the certificate authorities available withinthe standard Java keystore.

Procedure

1. To retrieve the certificate details from the LDAP server, type the followingcommand:

/usr/local/dpc/bin/dpc trust-ldaps <LDAPS server FQDN or IP>

The certificate details are listed. The operation prompts you to continue withadding the certificate to the keystore.

2. To add the LDAP server's certificate to the Data Protection Central Javakeystore, type y in response to the prompt.

3. After the certificate is added to the keystore, restart the Data ProtectionCentral services using the following commands:

/usr/local/dpc/bin/dpc stop/usr/local/dpc/bin/dpc start

Verify the LDAP or AD connection status

You can verify the LDAP or AD connection status by looking for messages in the logfile or on the Audit page.

Check the LDAP status on the Audit pageYou can verify the success of the LDAP configuration on the Data Protection CentralAudit page.

If LDAP configuration is successful, you can log into the Data Protection Central webuser interface with an LDAP account. If configuration fails, login to Data ProtectionCentral using the [email protected] account and browse to the Audit fordetails.

The Audit page shows the overall status of the operation and the status of eachindividual sub-task. You can use this information to locate the point in the operationthat caused the LDAP configuration to fail.

The following figure shows an example of an LDAP configuration activity on the Auditpage.



Figure 2 LDAP configuration activities on the Audit page

Check the LDAP status in the log fileCheck the /var/log/dpc/elg/elg.log log file for messages about the LDAPconnection status.

Messages that appear during LDAP connection failureIf the following message appears, the LDAP client did not make a successfulconnection to the LDAP server:

2018-04-03 11:00:26,929 INFO localhost-startStop-1 c.e.c.c.SecurityConfig LDAP or AD Directory Service providers are not available

There are multiple issues that can prevent the LDAP client from connecting to theLDAP server. Look for error messages in the log file that provide more information.

The following table describes various error messages that appear during LDAPconnection failures and their causes.

Table 5 LDAP communication messages

Message Cause

INFO localhost-startStop-1 c.e.c.c.SecurityConfig LDAP or AD Directory Service providers are not available

No LDAP or AD settings are provided or theyare provided with incorrect information.

.ADLdapAuthenticationProvider Ignoring AD authentication. Verification of ldap settings failed. Failed to connect

Invalid AD configuration information.

.LdapAuthenticationProvider Ignoring LDAP authentication. Verification of ldap settings failed. Failed to connect

Invalid LDAP configuration information.

PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path

Validation of the LDAP server certificatecould not be completed.One possible solution for this issue is to addthe LDAP server certificate to the DataProtection Central Java keystore.

Messages that appear during LDAP connection successMessages similar to the following appear when the LDAP client successfully connectsto the LDAP server:

c.e.c.s.a.l.LDAPSecureStorage LDAP admin credentials are securedc.e.c.s.a.l.ExternalAuthenticationProvider Type: LDAP



c.e.c.s.a.l.ExternalAuthenticationProvider Base DN: dc=mydomain,dc=comc.e.c.s.a.l.ExternalAuthenticationProvider Admin user DN: cn=Administrator,dc=my-domain,dc=comc.e.c.s.a.l.ExternalAuthenticationProvider User Base: ou=peoplec.e.c.s.a.l.ExternalAuthenticationProvider User Search DN: (|(uid={0})(cn={0}))c.e.c.s.a.l.ExternalAuthenticationProvider User Pattern DN: []c.e.c.s.a.l.ExternalAuthenticationProvider Group Name: dp_adminc.e.c.s.a.l.ExternalAuthenticationProvider Group Search Base: ou=groupc.e.c.s.a.l.ExternalAuthenticationProvider Group Search Filter:(&(member={0})(cn=dp_admin))o.s.s.l.DefaultSpringSecurityContextSource URL 'ldap://12.3.104.150:546/dc=my-domain,dc=com', root DN is 'dc=mydomain,dc=com'12.3.104.150:546/dc=my-domain,dc=com', root DN is 'dc=mydomain,dc=com'

User and credential managementLearn how to manage Data Protection Central users and credentials.

Pre-loaded accountsThe following table describes the pre-loaded Data Protection Central accounts.

Table 6 Pre-loaded accounts

User account Description

Data Protection Centraladministrator

The default user for Data Protection Central web applicationadministration.

Linux operating system admin The default user for Data Protection Central operating systemlevel administration.This account is for OVA deployments only.

Note

Only the Linux OS admin can log in using a secure shell (ssh).

Linux operating system root The root operation system account.This account is for OVA deployments only.

Default credentials

The following table describes the default credentials for the pre-loaded DataProtection Central accounts.

Table 7 Default credentials

Account User Password

Data ProtectionCentraladministrator

[email protected] secret

Linux operatingsystem admin

admin The admin password is set whenData Protection Central is deployed.

Linux operatingsystem root

root The OS root password is set whenData Protection Central is deployed.


User and credential management 23

Managing credentialsLearn how to manage user login credentials.

The default provider root password is stored in a configuration file. To reset the localand default account, edit the configuration file, and then restart the server.

The password that is entered during the OVA deployment is stored in a configurationfile. On the first start up, the password is stored in an encrypted format in the DataProtection Central lockbox, and then the configuration file is deleted.

Reset the administrator password

If required, you can reset the [email protected] password to the defaultpassword. The default password is secret.

Procedure

1. Stop the ELG service by running the following command:

service msm-elg stop

2. To change the directory, type the following command:

cd /usr/local/dpc/lib/elg

3. To delete the account, type the following command:

bin/elgcli --deleteUserAccount

4. Start the ELG service by running the following command:

service msm-elg start

Results

The password is changed to the default password (secret). Remember to log in toData Protection Central the next time with the [email protected] username.Data Protection Central prompts you to change the default password.

Modifying the Linux operating system user credentials

For OVA deployments of Data Protection Central, the Linux admin and root userpasswords are configured when you deploy the OVA template. You can change thesepasswords using the standard Linux password change command.

From either an SSH session connected to the Data Protection Central system or usingthe Data Protection Central system console, run the following command to change theoperating system admin or root password:

passwd {admin | root}

The Linux documentation provides more information on using the passwd command.



Password complexity

The following table describes the password complexity requirements.

Table 8 Password complexity requirements

Account Password complexity requirements

Data Protection Central administrator l A minimum of 9 characters.

l A maximum of 15 characters.

l At least 1 lowercase character.

l At least 1 uppercase character.

l At least 1 number.

l At least 1 of the following specialcharacters:! @ # $ % ^ & * ( ) - _

l The password cannot include any whitespace.

Linux operating system admin The password length must be between 8 and256 characters.

Linux operating system root The password length must be between 8 and256 characters.

Authentication to external data protection systemsData Protection Central includes features to monitor and manage external dataprotection systems, such as Avamar. Data Protection Central requires credentials toaccess the external system.

Configuring remote connectionsData Protection Central establishes a remote connection to external systems that youadd from the System Management page.

When you add a system to Data Protection Central, you must provide connectioninformation including the hostname and credentials for that system. Data ProtectionCentral stores this connection information and uses it to access the remote system.

Credential securityData Protection Central stores external credentials securely.

After you add a system to Data Protection Central, the external system credentials arestored in a secure lockbox.

Single Sign-OnData Protection Central supports Single Sign-On (SSO) authentication for certainexternal systems.

SSO streamlines the process of managing systems by logging you into systemmanagement applications directly when you launch them from Data ProtectionCentral.


Authentication to external data protection systems 25

Systems must meet the following version requirements to enable SSO:

Table 9 System version requirements for SSO

System type User interface Supported versions

Avamar Avamar Administrator 7.5.1 and later

AUI 18.1 and later

NetWorker NetWorker ManagementConsole (NMC)

18.1 and later

NetWorker Management WebUI

18.1 and later

Search Search Web User Interface 18.1 and later

Data Protection Advisor DPA Web Console 18.2 and later

Data Domain Data Domain System Manager 6.2.0.10 and later

If systems do not meet these version requirements, SSO is not available. You canmonitor the SSO health status on the Health page.

Note

The SSO health status reflects the Data Protection Central SSO connection statusrather than the status of the remote system. Therefore, the SSO health may bereported as healthy when the monitored system is out of sync.

AuthorizationData Protection Central supports a single administrative role.

Both the default [email protected] account and any LDAP users added to theadministrative group in the ldap.properties file are granted the administrator role inData Protection Central.

When the Data Protection Central administrator logs in, they have access to all DataProtection Central features and functions.

The administrator also has administrative access to external system managementapplications, such as Avamar Administrator, for all systems added to Data ProtectionCentral.

Network securityLearn about network security in Data Protection Central.

Data Protection Central uses a firewall to enhance security by restricting inbound andoutbound network traffic to the TCP and UDP ports. The tables in this section list theinbound and outbound ports that Data Protection Central uses.



Network exposureData Protection Central uses inbound and outbound ports when communicating withremote systems.

Outbound portsOutbound ports can be used by Data Protection Central when connecting to a remotesystem.

The ports that are listed in the following table are the Data Protection Centraloutbound ports.

Table 10 Outbound ports

Port number Layer 4 Protocol Service

7 TCP, UDP ECHO

22 TCP SSH

25 TCP SMTP

53 UDP, TCP DNS

67,68 TCP DHCP

80 TCP HTTP

88 TCP, UDP Kerberos

111 TCP, UDP ONC RPC

123 TCP, UDP NTP

161-163 TCP, UDP SNMP

389 TCP, UDP LDAP

443 TCP HTTPS

448 TCP Data Protection SearchAdmin REST API

464 TCP, UDP Kerberos

514 TCP, UDP rsh

587 TCP SMTP

636 TCP, UDP LDAPS

902 TCP VMware ESXi

2049 TCP, UDP NFS

2052 TCP, UDP mountd, clearvisn

3009 TCP Data Domain REST API

5671 AMQP over SSL RabbitMQ


Network exposure 27

Table 10 Outbound ports (continued)


Note

Needed for NetWorker9.2.1.4, 18.1.0.2-41, or18.2.0-28, and later versions.

5672 AMQP RabbitMQNeeded for NetWorkerversions earlier than 9.2.1.4,18.1.0.2-41, or 18.2.0-28.

8443 TCP MCSDK 8443 is an alternativefor 443

9000 TCP NetWorker ManagementConsole

9002 TCP Data Protection Advisor RESTAPI

9090 TCP NetWorker AuthenticationService and REST API

9443 TCP Avamar Management Consoleweb service

Inbound portsLearn about the inbound ports that are available to be used by a remote system whenconnecting to Data Protection Central.

The ports that are listed in the following table are the Data Protection Central inboundports.

Table 11 Inbound ports


22 TCP SSH

80 TCP HTTP

443 TCP HTTPS

5671 TCP RabbitMQ over amqp



Modify the Data Protection Central firewall to use a non-standard portIf you add a system to Data Protection Central that uses a non-standard port, youmust modify the Data Protection Central firewall to allow communication with thatport.

Procedure

1. To access the Data Protection Central system, run the following command:

ssh -l <username> <dpc_fqdn>

2. To switch to the root user, run the following command:

su -

3. To edit the Data Protection Central firewall rules file, open the following filewith a Linux file editor:

/usr/local/dpc/lib/firewall/scripts/SuSEfirewall2-msm-custom

4. In the fw_custom_before_denyall() method, under production rules,modify the --dport entry to add the port you want Data Protection Central toaccess.

For example:

# production rules exec_rule -A $chain -j ACCEPT -m multiport -p tcp --dport 22,88,389,443,448,636,2049,2052,3009,9000,9002,9443

It is recommended that you replace the default service port with the alternateport. The following table describes the ports that system services use bydefault:

Service Port

Avamar Management Console 9443

NetWorker Authentication Service and RESTAPI

9090

NetWorker Management Console 9000

Data Domain REST API 3009

Search Rest API 448

Search UI 443

Data Protection Advisor 9002

5. Save and close the file.


Modify the Data Protection Central firewall to use a non-standard port 29

6. To restart the firewall and apply the changes, run the following commands:

service SuSEfirewall2 stop

service SuSEfirewall2_init stop

service SuSEfirewall2 start

service SuSEfirewall2_init start

Data securityThe data that are held, managed, used, or operated on by Data Protection Central isstored and secured.

Data Protection Central does not encrypt event, or application data within MongoDB.

Data Protection Central prevents unauthorized access to the Data Protection Centralsystem.

LockboxData Protection Central uses a secure storage lockbox to encrypt and store bothinternal system credentials and credentials for external systems that Data ProtectionCentral monitors and manages.

The lockbox is created when you deploy Data Protection Central. During deployment,you must specify a lockbox password. The password is encrypted and stored in thelockbox along with Stable System Values (SSVs), which uniquely identify the DataProtection Central host. The lockbox uses the SSVs to generate an encryption key toencrypt the system credentials.

Stable System Values (SSVs)Stable System values (SSVs) validate access to the lockbox.

When data is written to or retrieved from the lockbox, the SSVs in the lockbox arecompared against the SSVs generated from the host. If the SSVs match, theoperation is permitted. If the SSVs do not match, the operation fails.

CryptographyLearn about cryptography in Data Protection Central.

Data Protection Central uses cryptography for the following components:

l Access control

l Authentication

l Digital signatures



Certificate managementData Protection Central uses certificates for secure http access (https).

By default, Data Protection Central generates a default SSL self-signed certificate inthe following location:

/var/lib/dpc/webcertsThe self-signed certificate is sufficient to establish an encrypted channel betweenweb browsers and the server. The self-signed certificate cannot be used forauthentication.

You can use the following types of certificates for Data Protection Centralauthentication:

l A self-signed certificate.

l A certificate that is signed by a trusted certificate authority (CA) vendor.

Note

Consider company policies when creating certificates.

Generate a self-signed certificateTo enable a secure browser connection, create a private key and a self-signedcertificate.

Procedure

1. To connect to the Data Protection Central server as an admin user, run thefollowing command:

ssh admin@SERVER

2. To change to the root user, run the following command:

su -

3. To change the directory to /var/lib/dpc/webcerts, run the followingcommand:

cd /var/lib/dpc/webcerts

4. To generate a new certificate, run the following command:

openssl req -newkey rsa:2048 -sha256 -x509 -keyout private-key.pem -out cert.pem -nodes -days 3650

5. Set the owner and group of the new certificate files to the following:

chown admin *.pem


Certificate management 31

6. Restart NGINX.

systemctl restart nginx

7. To verify the new self-signed certificate, browse Data Protection Central.

Generate a Certificate Signing RequestTo enable a secure browser connection, generate a Certificate Signing Request(CSR).

Procedure

1. To connect to the Data Protection Central server as an admin user, type thefollowing command:

ssh admin@SERVER

2. To change to the root user, type the following command:

su -

3. To change the directory to /var/lib/dpc/webcerts, type the followingcommand:

cd /var/lib/dpc/webcerts

4. To generate a new certificate using the private key at the self-sign step, typethe following command:

openssl req -newkey rsa:2048 -sha256 -key private-key.pem -out cert.csr

5. Send the cert.csr to a certificate authority (CA) vendor.

6. Replace the current cert.pem file to the certificate received from the CAvendor.

7. Restart NGINX.

systemctl restart nginx

8. To verify the new certificate, browse Data Protection Central.

Auditing and loggingLearn about auditing and logging in Data Protection Central.

The following list includes information about the Data Protection Central directorystructure and log information:



l The /var/log/dpc/install directory hosts all logs generated from deployingor upgrading Data Protection Central.

l The /var/lib/dpc directory hosts all Data Protection Central generated datawhich consists of MongoDB and RabbitMQ.

l The /var/log/dpc directory hosts all Data Protection Central related logsincluding NGINX, MongoDB, and RabbitMQ.

l All Data Protection Central related logs are under:/var/log/dpc/[module name][module name].out files contain console logging from starting and running themodule process.

[module name].log files contain logging from the module.

l All Elemental Gateway (ELG) logs are under:/var/log/dpc/elg/

l The Data Protection Central user interface (msm-ui-main service) log is under:/var/log/dpc/msm-ui-mainThis log file is small and contains information from starting the Node.js server.

l The Data Protection Central Monitoring (dpc-monitor service) logs are under:/var/log/dpc/monitorThis directory contains the rolling log files from the monitoring process.

ServiceabilityThe Support website at https://support.emc.com provides access to licensinginformation, product documentation, advisories, and downloads, as well as how-to andtroubleshooting information. This information may enable you to resolve a productissue before you contact Support

There is no special login to Data Protection Central for service personnel.

Ensure that you install security patches and other updates when they are available,including the Data Protection Central OS update.

Security patchesA security update for Data Protection Central may be periodically provided.

The periodic updates are cumulative.

Each periodic update is announced through a security advisory. The security advisoryprovides details about the contents of the periodic update and installation instructions.To view these advisories or to register for email notifications, go to the Supportwebsite at:

https://support.emc.com

Data Protection Central OS updatePeriodically, security patches and fixes are released for the Data Protection CentralOS.

These fixes must be installed on OVA deployments of Data Protection Central. Whenavailable, it is highly recommended that you install these security patches and fixes onthe Data Protection Central server.

The Data Protection Central OS Update Release Notes provides information about thesecurity patches and fixes included in the Data Protection Central OS update. The


Serviceability 33

https://support.emc.com

https://support.emc.com/

Support KB article https://support.emc.com/kb/522157 provides instructions forinstalling the OS update.

Product code integrityWhen the Data Protection Central software is uploaded to the online support website,a SHA-256 checksum is also provided. It is recommended that you use the checksumand to verify the authenticity of the Data Protection Central deployment file.

The Data Protection Central deployment files, both OVA and JAR objects, are digitallysigned. You can verify the authenticity of the OVA file when you deploy the OVFtemplate. When you deploy the JAR file, run the jarsigner --verify -verbosecommand to verify the authenticity.



https://support.emc.com/kb/522157

CHAPTER 3

Federal standards and compliance

Topics include:

l STIG compliance................................................................................................ 36l Internet Protocol version 6................................................................................ 38l VPAT accessibility features................................................................................38

Federal standards and compliance 35

STIG compliance

A Security Technical Implementation Guide (STIG) defines a configuration andmaintenance standard for computer deployments required by the US Department ofDefense (DoD) Information Assurance (IA) program. These guidelines are designed toenhance security settings and configuration options before the systems are connectedto a network. More information about the various STIGs is available at http://iase.disa.mil/stigs/index.html.

Severity Category Codes (referred to as CAT) describe the vulnerabilities that areused to assess a facility or system security posture. CAT I Severity Code describessecurity protections that can be bypassed, allowing immediate access by unauthorizedpersonnel or unauthorized use of super-user privileges. CAT I weaknesses must becorrected before an Authorization to Operate (ATO) is granted.

Data Protection Central compliance with CAT I Security Requirements is described in Table 12 on page 36.

Table 12 CAT I Security Requirements

STIG Vulnerability ID Rule Title Category Comments

V-55051 The network device must enforcethe assigned privilege level foreach administrator andauthorizations for access tocommands relative to the privilegelevel according to the applicablepolicy for the device.

CAT 1 Data Protection Central implements AccessControl Lists (ACL) to contain access toprivileged commands and configuration filesto the default user IDs, namely root andadmin. Also, Apparmor profiles confine theData Protection Central applicationprocesses according to the definedApparmor profiles. Data Protection Centralruns on SUSE Linux Enterprise Server,which enables adding ACLs to restrictaccess according to privilege level andorganizational policy.

V-55101 The network device must beconfigured to prohibit the use ofunnecessary or non-securefunctions, ports, protocols, andservices.

CAT 1 Data Protection Central has a firewall thatallows only the protocols and ports that arerequired by the application.

V-55103 The network device must uniquelyidentify and authenticateorganizational administrators (orprocesses acting on behalf oforganizational administrators).

CAT 1 Data Protection Central uses the Linuxauthentication mechanism for local/SSHauthentication to uniquely identify andauthenticate administrators. For the webinterface, the authentication is through theEMC lockbox, which also uniquely identifiesand authenticates organizationaladministrators.

V-55131 The network device must onlystore cryptographicrepresentations of passwords.

CAT 1 Data Protection Central uses the Linuxinfrastructure for authentication.Passwords are stored in /etc/shadow in

encrypted form. Web interface loginpasswords are stored in EMC lockbox inencrypted form.



http://iase.disa.mil/stigs/index.html

http://iase.disa.mil/stigs/index.html

Table 12 CAT I Security Requirements (continued)


V-55133 The network device must transmitonly encrypted representations ofpasswords.

CAT 1 Data Protection Central uses TLS for allHTTPS and AMQP communications withother systems in the solution.

V-55141 The network device, when utilizingPKI-based authentication, mustaccept only certificates issued bya DoD-approved CertificateAuthority.

CAT 1 When adding a system in the DataProtection Central UI, Data ProtectionCentral allows a user to view the certificatebefore accepting it. The user should accepta DoD-approved certificate. DataProtection Central is capable of PKI-basedauthentication and can be configured to usecertificates issued by a DoD-approvedCertificate Authority.

V-55149 To protect the information frompossible exploitation and use byunauthorized individuals, thenetwork device must obscurefeedback of authenticationinformation during theauthentication process.

CAT 1 Data Protection Central obscures feedbackof authentication information during theauthentication process. For example, the UIdisplays asterisks when a user types in apassword.

V-55159 The network device mustterminate all network connectionsassociated with a devicemanagement session at the end ofthe session, or the session mustbe terminated after 10 minutes ofinactivity except to fulfilldocumented and validated missionrequirements.

CAT 1 Data Protection Central terminates SSHand console sessions after 10 minutes ofinactivity. Web sessions are terminatedafter 20 minutes. This value is configurable(see Idle browser session timeout on page14). At the end of the session, DataProtection Central terminates all networkconnections associated with the session.

V-55171 The network device must allowonly authorized administrators toview or change the deviceconfiguration, system files, andother files stored either in thedevice or on removable media(such as a flash drive).

CAT 1 Data Protection Central implements AccessControl Lists (ACL) to contain access toprivileged commands and configuration filesto the default users, root and admin, whichare delivered with the product. It isassumed that no other user is added to thesystem. Also, Apparmor profiles confine theData Protection Central applicationprocesses according to the definedApparmor profiles. Data Protection Centralruns on SUSE Linux Enterprise Server,which enables you to add additional ACLs torestrict access according to privilege leveland organizational policy.

V-55221 The network device must preventnon-privileged users from runningprivileged functions, includingdisabling, circumventing, oraltering implemented securitysafeguards and countermeasures.

CAT 1 Data Protection Central implements AccessControl Lists (ACL) to contain access toprivileged commands and configuration filesto the default user IDs, namely root andadmin. Also, Apparmor profiles confine theData Protection Central application


STIG compliance 37

Table 12 CAT I Security Requirements (continued)


processes according to the definedApparmor profiles. Data Protection Centralruns on SUSE Linux Enterprise Server,which enables you to add additional ACLs torestrict access according to privilege leveland organizational policy.

V-55267 Applications that are used for non-local maintenance sessions mustimplement cryptographicmechanisms to protect theconfidentiality of non-localmaintenance and diagnosticcommunications.

CAT 1 Data Protection Central uses SSH andHTTPS. Only SCP can be used to securelycopy files from and to Data ProtectionCentral.

Internet Protocol version 6IPv6 is the latest version of the Internet Protocol.

Data Protection Central functions in IPv6-only and dual-stack (IPv4 and IPv6)environments.

VPAT accessibility featuresThe Voluntary Product Accessibility Template (VPAT) is a document that describesproduct compliance with Section 508 accessibility standards.

The content that follows describes accessibility features of the Data ProtectionCentral.

Screen reader supportThe Data Protection Central web application supports screen reader software, such asJob Access With Speech (JAWS) and NonVisual Desktop Access (NVDA). Screenreader software helps blind and visually impaired users to read the screen.

Keyboard navigationYou can use keyboard controls to browse through the Data Protection Central webapplication.

FocusWeb browsers have a focus style that indicates a focused user interface element. Thefocus style differs depending on the web browser being used.

For example, in Microsoft Internet Explorer and Mozilla Firefox, the focus style is adotted border while in Google Chrome it is a blue solid border.

Before performing any task using a user interface element, ensure that the webbrowser focus is set on the user interface element.



Only one focus can be set at a time. It is possible to have no user interface elementsfocused. For example, on the initial load of a web page.

Tab, Shift+Tab, and arrow keysTo browse forward through user interface elements in a web browser, use the Tabkey.

To browse backward through user interface elements, use the Shift+Tab keys.

You can use arrow keys to browse inside user interface elements such as menus, listboxes, or grid controls. You can also use arrow keys to scroll up or down when there isa scrollbar.

Browse sequence for user interface elementsThe browse sequence for user interface elements uses the following hierarchy.

1. Parent to children.

2. Top to bottom.

3. Left to right.

The Tab key sequence loops endlessly. If you reach the last user interface control, andthen press the Tab key again, the web browser focus shifts to the first user interfacecontrol.

Browser barsFor most browsers, the browser bars such as the Address Bar, Tab Bar, or Status Baralso occupy a spot in the tab sequence. This occupation spot means that you mustpress an additional two or three tabs to start over from the first user interface controlin the web page.

Dashboard controlsThe controls on the Dashboard enable you to access any widget in the Data ProtectionCentral Dashboard.

Use the Tab key to advance the focus to the first widget (the topmost, leftmostwidget in the Dashboard). To advance the focus to interactive UI elements within thewidget, continue to press the Tab key. To interact with a UI element in a widget, usethe Enter or Space key. To advance to the next widget, use the Tab key.

Left navigation controlsLeft pane navigation controls enable you to access any menu page in Data ProtectionCentral.

With the focus on any member of the left pane navigation, use the Tab or Shift + Tabkeys to change the focus to the item that you want. Press the Enter key to open thepage.


Keyboard navigation 39

Figure 3 Left navigation controls

Detail pane controlsThe right side of the user interface provides a Detail pane with controls that enableyou to access specific details within the pane.

Some of the Data Protection Central pages provide a Detail pane for the selected itemin the grid view. Use Tab or Shift + Tab to scroll through the items in the Detail pane.Depending on the Data Protection Central page, you can view additional informationor launch a UI by pressing the Enter key.

For example, to view activities for a selected asset in the Asset Inventory page, in theDetail pane, change focus to VIEW ACTIVITIES, and press the Enter or Space key.

Figure 4 Asset Inventory Detail pane



Widget Filter controlsKeyboard controls enable you to access the options within the Dashboard widgetfilters.

1.In the Dashboard, with the focus on the widget overflow button , press theTab key, and then press the Enter or Space key. The Widget Filter dialog openswith the focus on the Search text box:

2. Press the Tab key twice to place the focus on the Available list of systems.

3. Use the keyboard up or down arrow keys to change the focus to a system in the

list. With a system highlighted, the focus automatically changes to the element.

4. To move the selected item to the Filtered by list, press the Enter or Space key.

The focus changes to the element.

5. To move the item from the Filtered By list to the Available list, press the Enter orSpace key.

6. To add more systems to the Filtered By list, use the keyboard up or down arrowkeys to select another system in the Available list. Then press the Enter or Spacekey.

7. To apply the changes, press the Tab key until the focus changes to the APPLYbutton. Then press the Enter or Space key.



Calendar controlsThe calendar that is available in the date-and-time widget has keyboard controls forselecting a specific calendar date.

Figure 5 Calendar controls

1. To access a different month than the one that is displayed, use Tab or Shift + Tabto change the focus to the < or > element. Then press Enter until you access thedesired month.

2. Press Tab until the focus changes to a date on the calendar.

3. Use the arrow keys to cycle through the dates until the focus is on the desireddate.

4. To select the date and close the calendar, press Enter.

Data grid controlsIn Data Protection Central, a data grid presents tabular information that has columntitles. Data grid controls can have sub-controls.

The following is a list of the sub-controls:

l Select all control

l Column header control

l Row header control

l Cell control



Figure 6 Data grid controls

The tab sequence between the sub-controls is Select All > Column Header > Cell.

Inside the sub-controls, you can use a keyboard arrow key to browse between userinterface elements.

Use the spacebar to select or clear checkboxes.

Use the Enter or Space key to perform tasks such as opening a filter dialog oroverflow dialog.

Arrow within grid cellSome cells within a grid contain an arrow that you can use to display or hide additionalinformation.

Figure 7 Hide additional information example



Figure 8 Display additional information example

The following controls are available for use when an arrow appears within a grid cell:

l Use the Tab key to move the focus to the arrow.

l Use the Enter or Space key to display or hide additional information.

Overflow button within grid cellSome cells within a grid contain an overflow button that you can use to display or hideadditional actions.

Figure 9 Overflow menu controls

The following controls are available for use when an overflow button appears within agrid cell:

1. To move the focus to the overflow button, use the Tab or Shift + Tab key.

2. To display or hide a list of additional actions, use the Enter or Space key.

3. To move the focus to the first action list item, use the Tab key.

4. To move through multiple action list items, use Tab and Shift + Tab keys.

5. To select an action, press the Enter or Space key.



CHAPTER 4

Miscellaneous Configuration and Management

Topics include:

l Licensing............................................................................................................46l Protect authenticity and integrity ..................................................................... 46l Perform backups and restores of Data Protection Central.................................46l Embedded component usage ............................................................................ 46

Miscellaneous Configuration and Management 45

LicensingData Protection Central does not require any special or additional product licensing.

Protect authenticity and integrityTo ensure product integrity, the Data Protection Central installation components aresigned.

Enable external web access with SSL using a trusted certificate authority (CA).

Perform backups and restores of Data Protection CentralTo protect Data Protection Central from a disaster scenario, It is recommended thatyou perform backups of Data Protection Central. If required, you can restore DataProtection Central from these backups.

Virtual machine based backups of Data Protection Central are recommended. Refer tothe vCenter documentation for more information.

If you are not using vCenter to perform backup and restore operations, you can alsoperform the following steps to backup and restore Data Protection Central.

Procedure

1. Backup the /var/lib/dpc directory.

2. To shutdown the Data Protection Central software, type the followingcommand:

sudo /usr/local/dpc/bin/dpc stop

3. Restore the /var/lib/dpc directory.

4. To start Data Protection Central, type the following command:

sudo /usr/local/dpc/bin/dpc start

Embedded component usageLearn about Data Protection Central embedded component usage.

To locate Data Protection Central OSS third party software, use the /usr/local/dpc/licenses folder. This folder contains the oss-ship-manifest.xlsfile, which specifies the license information. The End User License Agreement (EULA)is also in this folder.

Miscellaneous Configuration and Management


Documents

Dell EMC Data Protection Central...Data Protection Central has a default security profile for secure http access. However, you can replace the security certificate. Security Quick