User Administration and Security Management
ECX provides users the opportunity to rapidly locate files and objects on DellEMC, IBM, NetApp, and Pure Storage FlashArray devices along with VMware ESXi, Oracle, and SQL hosts. ECX then stores this information so you can report on it. The reports provide a basis for users to take administrative actions towards efficient management of the DellEMC, IBM, NetApp, and/or Pure Storage FlashArray storage devices, along with VMware, Oracle, and SQL hosts and resources.
ECX security objectives are:
- Identify and authenticate users prior to providing any of its services.
- Ensure all functions are authorized.
- Protect confidentiality of DellEMC, IBM, NetApp, Pure Storage FlashArray, VMWare, Oracle, and SQL server credentials by encrypting them when stored and in transit.
- Prevent bypass of and tampering with its security functions through perimeter hardening and use of secure transmission protocols.
Note that ECX uses FIPS compliant encryption algorithms.
Identification and Authentication
All services require some form of authentication.
Users are uniquely identified by entering a user name and password. System Administrators have the option of adding native users or importing groups of provisioned users through LDAP authentication. Native user names are not case sensitive. LDAP user name case sensitivity relies on the configuration of your LDAP server.
ECX employs role-based access control to provisioned users:
- Native users or members of imported LDAP groups are assigned to roles.
- Roles contain collections of permissions that allow access to ECX functionality.
Sensitive data is encrypted when stored.
Data in transit is also protected. ECX protects the confidentiality of the user and system credentials. Sensitive data is encrypted or transported using SSL and HTTPS. The user login is protected via HTTPS for browser client to ECX server login, and via LDAP/S for communication with the LDAP directory server. For backend processes, protection is secured via HTTPS authentication to the storage system and ESXi.
ECX identifies the following types of sensitive data: native user credentials, DellEMC, IBM, NetApp, and Pure Storage FlashArray storage system credentials, VMware/ESX host credentials, and user credentials.
Security Management
Security management identifies the interfaces that manage the security functions in the ECX application. Only an authenticated, authorized user can configure the security functions. Examples of security management include adding users, assigning roles, configuring ECX to use LDAP, and configuring ECX to use HTTPS. Following are the security management functions in ECX:
- Adding, editing, and deleting a user
- Assigning roles to a user
- Configuring authentication mode
- Configuring LDAP
- Importing certifications
- Configuring HTTPS
Management and Operation Functions
Management and operation functions include session timeout, log on credentials, and role-based access control mechanism:
- The session timeout specifies the time-out period assigned for the application in minutes. If the user does not refresh or request a window within the time-out period, the session ends automatically. Session timeout is set for 30 minutes and cannot be changed.
- Users are uniquely identified by entering a user name and password.
- Role-based access control is employed. Once a user is added to ECX, either as a native user or imported as part of an LDAP group, the user is assigned to specified resource pools and roles.
ECX provides encryption solutions for complete security. The solution includes certificates, use of HTTPS, and safe storage of passwords in the database. Sensitive data such as data in transit is encrypted or transported using SSL and HTTPS. User credentials such as passwords are safely stored in the ECX database. Obtaining and storing this sensitive data constitutes the basic function of the ECX application. This data is subject to the user data security requirements.
The following ports are used by ECX:
| Port | Service | Comment |
|---|---|---|
| 22 |
OpenSSH 5.3 (protocol 2.0) |
Port open within the firewall. |
| 25 |
smtp, non-SSL connection for Simple Mail Transfer Protocol |
Service used by ECX |
| 68 |
bootpc in DHCP clients, DHCP Listener UDP |
|
| 80/443 | http/https | Service used by ECX |
| 389 |
LDAP, non-SSL connection for Lightweight Directory Access Protocol |
Service used by ECX |
| 443 |
smtp, SSL connection for Simple Mail Transfer Protocol |
Service used by ECX |
| 636 |
LDAP, SSL connection for Lightweight Directory Access Protocol |
Service used by ECX |
| 1433 |
sql, SQL Service |
Service used by ECX |
| 4369 |
epmd, Erlang port mapper |
Service used by ECX |
| 5432 |
postgresql, PostgreSQL DB 8.4.1-8.4.4 |
Service used by ECX |
| 5480 |
ssl/http, vami |
Port open within the firewall, ECX versions 2.5 and earlier |
| 5985 |
WinRM, Windows Remote Management |
Service used by ECX |
| 6123 | DPX Master Server | Service used by ECX |
| 8090 | adminconsole, ECX Administrative Console | Port open within the firewall |
| 8092 | adminconsole, ECX Administrative Console | Port open within the firewall, ECX version 2.6 only |
| 8443 | ssl/http, Apache Tomcat/Coyote JSP engine 1.1 | Port open within the firewall |
| 8761 | Discovery Server | Service used by ECX. Locates registered micro services. |
| 27017 | MongoDB mongod | Service used by ECX |
| 27018 | MongoDB mongod | Service used by ECX |
| 55672 | rabbitMQ, RabbitMQ administrative | Service used by ECX |
Catalogic ECX™ 2.6
© 2017 Catalogic Software, Inc. | All rights reserved.
MySupport | Knowledge Base | Trademarks | info@catalogicsoftware.com