Symmetrix access control: When unique is everything but unique

By Renegade on Friday 2 October 2009 10:22 - Comments (2)
Categories: SAN, Storage, Symmetrix, Views: 5.392

So, youve got a million dollar storage box standing there and want to make sure that it's secure? Sure thing you want to do that! And you ask your vendor "What can I do?". One of the replies could to use access control lists or ACL's. And all is great. Or is it?

From what I have heard, very few EMC customers in Europe tend to use ACL's on their Symmetrixes. Perhaps even for a good reason?

If you take a look at the documentation on Powerlink you can find some technical papers on Symmetrix Access Control, and the papers will state (among others) the following:
Today, anyone with access to Symmetrix-based management software can execute any function on any Symmetrix device. Many product applications such as EMC® ControlCenterTM, TimeFinder®, SRDF®, Optimizer®, Resource View, Database Tuner, and various ISV products can issue management commands to any device in a Symmetrix® complex. Open systems hosts can manipulate mainframe devices, Windows hosts can manipulate UNIX data, and vice versa.

Shared systems, such as these, may be vulnerable to one host, accidently or intentionally, tampering with another’s devices. To prevent this, the symacl command can be used by an administrator of the Symmetrix storage site to set up and restrict host access to defined sets of devices (access pools) across the various Symmetrix arrays.
Now, I have to admit that this info is from an older version of this guide, but the same is still true for the most part. You can change to in-band or out-of-band management, you can use the Symmetrix Management Console, but as soon as you install Solutions Enabler on a client connected to the storage box, you more or less open up a world of possibilities on said client.

Usually you don't want that, so why not implement some restrictions? symacl is just the thing for that! Normally I would create an access pool, in which I define permission to a host to perform certain Solutions Enabler functionality or commands on a specified set of devices. These sets of devices are referred to as access pools.

Now, once I have set up these access pools, I can assign single clients or groups of clients to these pools. I do that by creating access control groups. These contain unique access IDs and names, and are assigned to hosts and sorted into access control groups

So now I have one (or more) clients that I allow a certain piece of functionality or a certain (set of) command(s). In order to uniquely identify my client, I can run the following solution enabler command:

symacl -unique

and will receive an output similar to this:

The unique id for this host is: 254A30A9-54319DC0-8A476069

Now that we have the unique host id, we can add id to the configured access group via a command file using the normal preview, prepare and commit routine. After that, you should be good to go.

And that is where things can get nasty.

As we have found out the hard way, a unique host id is not necessarily unique. We have had occasions where we had multiple hosts with the same unique host id on the same Symmetrix. Fortunately, the DMX is so confused at that point that it won't allow any of the hosts to access the configured devices - and normally your masking and zoning provide some extra protection - but it is still a nasty thing that can happen.

That brings us to the second point. The unique host id can change. EMC will not tell you what changes influence the generation of the unique host id, but for example a change of FC-HBA will cause the unique host id to be changed. On Windows, there are versions of Solutions Enabler where a change in the NetBIOS stack seems to cause this change. Now you might think that you can check what unique host id was configured in the access group, but you would be wrong.

Unfortunately, all the unique host id's that are entered in to an access group will be crypted/hashed by the Symmetrix, and you won't be able to retrieve the unique host id. So my advice. If you want to compare the values you entered, store them somewhere so that you at least have the option to compare the values. It can make troubleshooting a bit easier.

Just as a hint, there is also a way to create static unique host id's, which are unaffected by hardware and software changes. Should you need it, ask your EMC support and refer to Powerlink ID emc198823. They should be able to give you a solution with that ID number. :)

A last word of advice. If you are working with ACL's and changing stuff, please make sure you back up your access logix database before you start with the changes. It might be a good idea to implement that as the first step in any scripts you might create.

ACL's are not a bad thing. They can increase your (sense of) securty. However, the way it was implemented in the Symmetrix environment leaves a bit to be desired, and troubleshooting issues can be a pain if you are not aware of the fact that the unique host id's aren't always unique.

Volgende: Lo and behold! The EMC community expert! Or something? 10-'09 Lo and behold! The EMC community expert! Or something?
Volgende: Computer evolution: And we continue to wait. 10-'09 Computer evolution: And we continue to wait.


By Tweakers user Battle Bunny, Friday 2 October 2009 15:47

I've been reading these blogs of yours for a while now, interesting material :)

I'm wondering, though, what kind of device(s) do you have there?

By Tweakers user Renegade, Friday 2 October 2009 15:52

Thanks for the compliment. :)

Are you talking storage wise? We've got loads of EMC stuff flying around (think DMX, V-Max, Celerra, CX), we have NetApp, HDS and HP. Probably even some that I don't know about. :P :+

Comments are closed