Professional Documents
Culture Documents
HP 3PAR StoreServ
Secure Service Architecture
Table of contents
Executive summary ...................................................................................................................................................................... 2
Features of HP 3PAR SSA ........................................................................................................................................................ 2
HP 3PAR Secure Storage Architecture ...................................................................................................................................... 2
Separation of storage .............................................................................................................................................................. 2
Service processor .......................................................................................................................................................................... 3
Diagnostic services ................................................................................................................................................................... 3
Periodic data collection............................................................................................................................................................ 4
Event data collection and analysis ........................................................................................................................................ 5
STaTS ........................................................................................................................................................................................... 6
HP 3PAR Central Secure Service Collector Server ............................................................................................................. 6
No single point of failure ......................................................................................................................................................... 7
Secure service transmission ....................................................................................................................................................... 7
HTTPS .......................................................................................................................................................................................... 7
HP 3PAR Certificate of Authority ........................................................................................................................................... 7
Network address translation .................................................................................................................................................. 8
HP 3PAR StoreServ network port assignmentsNode................................................................................................... 8
HP 3PAR StoreServ network port assignmentsSP........................................................................................................ 9
Data transfer service selection................................................................................................................................................... 9
Moment of Birth ........................................................................................................................................................................ 9
Secure Site .................................................................................................................................................................................. 9
Common computing evaluation .......................................................................................................................................... 10
Customer controlled access setting ................................................................................................................................... 11
HP 3PAR Policy Server ........................................................................................................................................................... 11
Pre-stage HP 3PAR software components on HP 3PAR Service Processor .............................................................. 12
HP 3PAR Service Processor status indications ..................................................................................................................... 12
SPOCC website ......................................................................................................................................................................... 12
HP 3PAR Service Processor SSH port 22 menu ............................................................................................................... 13
Frequently asked questions...................................................................................................................................................... 13
Terminology ................................................................................................................................................................................. 14
Executive summary
HP 3PAR StoreServ Storage arrays are rapidly being adopted into many secure IT data centers. With this adoption, comes
the need for customers to rely on HPs ability to securely provide a proven secure communication service and architecture
between the HP 3PAR Systems and the HP 3PAR Central remote monitoring facility.
The HP 3PAR Secure Service Architecture (SSA) provides this secure service communication architecture by providing a path
to communicate secure diagnostic data transmissions and remote service connections where enabled.
Secure communication between the customer site and HP 3PAR Central is paramount in ensuring timely and accurate
data collection of diagnostic data. Data, which is captured is stored and constantly reviewed using advanced tools within
HP 3PARs diagnostic center. These tools can provide advanced warnings on any issues which may arise with a customers
HP 3PAR array and allow HP 3PAR Central to notify customers of a pending issue. Customer data stored on the array in the
form of a virtual volume is never collected or accessible by HP 3PAR SSA.
Remote monitoring is an important feature of the HP 3PAR StoreServ Storage System solution. 1 It enables HP to detect,
analyze, and proactively resolve any issues and to provide the best customer experience.
1
2
h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-3528ENW&cc=us&
h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-2044ENW&cc=us&lc=en
Service processor
The HP 3PAR Service Processor is an important component of the HP 3PAR StoreServ array. The HP 3PAR Service Processor
serves as a communications interface within the customers IP network environment for all service related communications
to and from the HP 3PAR StoreServ array.
The HP 3PAR Service Processor deploys the SPOCC software, which is a suite of service tool applications which provide a
web-based user interface for support of the HP 3PAR Service Processor and the HP 3PAR StoreServ array.
The SP OS is built on top of a Linux distribution that has been stripped down to contain only those packages which are
required to be included in the SP release. Remote login is a form of SSH and HTTPS (SPOCC), this capability can be controlled
or disabled. In the case where it is disabled, access is available via a serial cable. Additional hardening is enforced by the
application suite including an iptables packet filter and the customers ability to harden their network environment.
Diagnostic services
Diagnostic services is the process whereby the HP 3PAR Service Processor accumulates diagnostic data from the HP 3PAR
StoreServ array and periodically transmits the data over a secure network communication to HP 3PAR Central. Diagnostic
data, which is received is scanned to ensure proper health of the array during the collection period. Any abnormalities found
would be followed up by further troubleshooting and possible dispatch of field personnel to remedy any diagnosed
inconsistencies.
All customer-authorized remote service connections, as shown in figure 2, to a customer HP 3PAR StoreServ array will
leverage the HP 3PAR Service Processor as the connection point. All array service actions are directed through the HP 3PAR
Service Processor. It should be noted that in the below example, the connection is enabled by the customer to allow remote
access to HP Technical Services.
All diagnostic data that is captured on the HP 3PAR Service Processor is sent to HP 3PAR Central for further processing,
data includes:
System health information
Configuration data
Performance data
System events
Note
It is important to clarify that data collected by the SSA is only diagnostic data, all user data is safe and never accessible to
the collection agents used by the SSA. End user data stored on the array itself is not collected, and is not visible to the
support engineer.
Event analysis for events which occur on the HP 3PAR StoreServ Array is aided by an internal process which runs on the
HP 3PAR Service Processor and at HP 3PAR Central. The tool identified as FAST or Fault Analysis Support Tool as shown in
figure 4 uses a complex set of rules to determine the severity of the event which occurred on the HP 3PAR StoreServ Array.
Analytics run on the HP 3PAR Service Processor contains a set of rules, which can help determine the severity of the event.
As an example, a physical disk within the array reports a read error on a particular block of data. Through the normal
operations on the HP 3PAR StoreServ array, the user would not be notified of this event since these events can be a
common day event. The FAST rules set would note this event on the HP Service Processor and forward it to HP 3PAR
Central. HP 3PAR Central using FAST Analytics would also note this event but also look for event history within the HP 3PAR
STaTS database (covered in next section). FAST at HP 3PAR Central would see over the past three days the HP 3PAR
StoreServ array has recorded 10 of these events.
Identifying that there have been 10 of these events in 3 days and comparing this against the rules database at HP 3PAR
Central would result in an actionable event in which the physical disk should be replaced as a precautionary measure.
Figure 4. FAST Analytics
STaTS
Data collected via the HP 3PAR SSA is stored in a central repository known as STaTS. STaTS allows authorized HP Technical
Service personnel access to historical performance, event, and configuration data from customers HP 3PAR StoreServ arrays.
Figure 5 illustrates the data flow for the HP 3PAR Service Processor and HP 3PAR Central.
Figure 5. STaTS database
The HP 3PAR Central Secure Service Collector Server (discussed in a later section) is the main interface between the users
HP 3PAR Service Processor and HP 3PAR Central. Files received via a secure HTTPS connection are forwarded onto a
number of file watch servers. These servers identify information, which has been passed onto them and marks them for
processing. In the example above we have event data, performance data, and administrative data.
Different data collections will result in different actions, a failed physical disk drive will raise a service alert, while heartbeat
information from a remote HP 3PAR Service Processor will just be logged to keep track that the remote site is correctly
connecting and sending data. Data which is stored within the STaTS database can only be accessed by securely
authenticated and authorized HP employees; these may be members of the HP Technical Services organization and
Storage Solution Architects.
The HP 3PAR Secure Service Collector Server communicates with the customers HP 3PAR StoreServ Service Processor
through an HTTPS connection. All communications are initiated, controlled and driven by the SP in the field. The Collector
Server never initiates the communication, it just responds to the communication from the SP. Figure 5 illustrates the
connection point between the SP and internal servers within HP 3PAR Central. All data transmissions are done through
secure communication and no clear text data is ever sent. All data transferred is dependent upon using a Certificate of
Authority issued by HP 3PAR and a secure cipher. Ciphers used in data transmission include, aes256-ctr, aes192-ctr,
aes128-ctr, arcfour256, aes256-cbc, aes192-cbc, and aes128-cbc.
The data transfer between the HP 3PAR Service Processor and HP 3PAR Central is accomplished in a secure fashion and
employs the following standards.
Data transmission between customer site and HP 3PAR Central use HTTPS and are secure
HP 3PAR Service Processor initiates all communications in an outbound manner
Data authentication at HP 3PAR Central uses a Certificate of Authority authenticated by VeriSign
Data is not transferred in clear text
This paper is intended to brief the user on methods used by HP 3PAR to secure data transfer, any secure protocols used in
the secure transfer are beyond the scope of this paper.
To manage these CAs, HP 3PAR includes four tools within the HP 3PAR StoreServ OS by which the user may manage their
own CAs.
CretecertAllows the creation of a self-signed certificate or a certificate signing request
ImportcertOnce the user has a signed CSR, it and CA are imported with the Importcert command
ShowcertDisplays a table of certificate metadata and their uses
RemovecertClears out unused certificates
Port
Use
22
SSH daemon (required) communication between SP and HP 3PAR StoreServ array as well as optional use for end-user
CLI (listener)
123
161
SNMP agent (optional) communications between third-party SNMP manager and HP 3PAR SNMP agent (listener)
162
SNMP trap origination (optional) source port for unsolicited SNMP traps to third-party SNMP manager (source)
427
5781
Event consumer interface (required) communication between SP and HP 3PAR StoreServ array as well as some
RM/VM/VASA event logic is used (listener)
5782
CLI unsecured (optional) provides plain text access to the CLI if end user chooses to use it
5783
CLI secured with TLS (required) encrypted access to CLI, SP to HP 3PAR StoreServ nodes communication as well as
end user CLI usage
5988
CIM (optional) unsecured web services access for CIM clients if customer wishes to use plain text access
5989
CIM (optional) encrypted web services access for CIM clients if customer wishes to use encrypted access
8008
8080
8443
Secure port used by Management Console in the transmission of data to and from HP 3PAR StoreServ array if
checkbox is checked at the bottom of the login screen. (Note, with the release of SSMC in late 2014, this is the
default communication protocol)
Use
22
443
123
Moment of Birth
MOB is the initialization of the SP or VSP. Independent of which SP you use, the MOB initializes and sets up the SP for
communication between the HP 3PAR StoreServ array and HP 3PAR Central. During the MOB process, the user will be
required to supply some parameters, which will be used for communication. The MOB tool is executed by HP Field Service
Personnel at the time of installation on any HP 3PAR 10000 array. On the HP 3PAR 7000 series this tool is replaced by a
Setup Wizard. Information provided in this section is used for reference in answering the pre-installation questionnaire prior
to the array installation.
Secure Site
A secure site is a site where the SP is not allowed to access the Internet as illustrated in figure 8. The SP will only have
access to the HP 3PAR StoreServ array. All other functions as to connections to HP 3PAR Central will not be connected.
Figure 8. Secure site installation
Customers who choose this option should still register their HP 3PAR StoreServ array with HP 3PAR. Once the array is
registered, customers can still utilize monitoring functions by manually uploading collected data from the SP to an
anonymous FTP site.
Customer sites, which have security policies restricting outbound connectivity between the HP 3PAR Service Processor and
HP 3PAR Central are able to maintain some limited remote monitoring by utilizing a manual transfer method. HP strongly
recommends wherever possible that customers do have their HP 3PAR Service Processor connected to HP 3PAR Central.
The specifics for this procedure are covered in a SAW article. Please refer to this article for complete instructions
HP 3PAR StorageHP 3PAR Service Processor weekly file retrieval process
Note
You have the option to disable non-encrypted ports. Common criteria evaluated installations require this. However, doing so
will disable SP event handling, Recovery Manager for VMware, SRA, and CLI connections with default parameters. Therefore,
you should only answer Yes to the below question if there is strict requirement for all connections to be encrypted as per
common computing requirements.
YesIf the user answers Yes to the question, then the HP 3PAR StoreServ array will enable encryption on all ports on
the array. The result of enabling encryption is only processes that use encryption can communicate with the HP 3PAR
StoreServ 10000. Figure 9 illustrates access by the SP to the array is blocked by the ports within the array.
NoIf the user does not enable CCE, the user will allow non-encrypted data to use the ports on the HP 3PAR
StoreServ array.
By answering No, the securing of data is left to the application level. An application level example is the use of CLI, CLI
can be transmitted in an unsecure method by using port 5782 or in a secure method by using port 5783. Identity of each
HP 3PAR StoreServ subsystem ports and their transport mechanisms was covered earlier in the paper.
Refer to the HP 3PAR InForm OS Common Criteria Administrators Reference Guide for more information. As a note, CCE is
not available on the HP 3PAR StoreServ 7000 array.
10
Processor including remote access by qualified HP 3PAR Support Personnel and allowing HP 3PAR Central to stage on the
HP 3PAR Service Processor new software updates.
Note
The Policy Server supersedes and effectively disables the CCA mechanism which was previously described. The Policy Server
gives the end user greater granularity of control and improved audit capability.
Figure 10 illustrates the implementation of the HP 3PAR Policy Server within a customer environment. The HP 3PAR Policy
Server is used in the authentication of access to the HP 3PAR StoreServ environment. The HP 3PAR Policy Server is a
licensed feature.
The HP 3PAR Policy Server supports SSL/TLS protocols and uses either port 443 or 8443 with the application. During the
installation of the policy server, it will be configured with an SSL protocol. The connection of HP 3PAR Service Processor to
the policy server is defined at the MOB on the SP. The policy server can be added any time after the SP MOB, the SP can be
changed to reflect the addition of the policy server.
The HP 3PAR Policy Server offers the following features:
Provides flexible and granular control in defining and implementing remote services access policies
Allows centralized audit for all devices being managed
Provides a secure audit log for the purpose of reporting and compliance
3
HP Document QL22696586
11
Data transmissions between HP 3PAR Central on users site uses HTTPS and secure SSL
HP 3PAR Contrail initiates request to transfer HP 3PAR OS updates
If update is authorized, HP 3PAR Central initiates handshake and Certificate of Authority Verification
Secure cipher is negotiated and software updates of the HP 3PAR Storage components are staged on HP 3PAR
Service Processor
All data is staged on HP 3PAR Service Processor, no data is communicated to HP 3PAR StoreServ array
Customer is notified of upgraded software that is pending on the HP 3PAR Service Processor
SPOCC website
The SPOCC website login page displays the status of the HP 3PAR Service Processor. The home page displays the following
information regarding both the HP 3PAR Service Processor and the HP 3PAR StoreServ array.
SP versionCurrent code version of the HP 3PAR Service Processor
HP 3PAR StoreServ OS versionCurrent version of HP 3PAR OS and notification of new version of HP 3PAR OS, which has
12
13
Terminology
MCManagement Console
SPService Processor
VSPVirtual Service Processor
RAPRemote Access Protocol
STaTSService Tools and Technical Service
HP 3PAR OSOperating System for HP 3PAR StoreServ array
MOBMoment of Birth
HTTPSHypertext Transfer Protocol Service
SSASecure Service Architecture
SPOCCService Processor Onsite Customer Care
SSHSecure Shell
FTPFile Transfer Protocol
CACertificate of Authority
CSRCertificate Signing Request
NATNetwork Address Translation
SLPService Location Protocol
SSMCStoreServ Management Console
NTPNetwork Time Protocol
CCECommon Computing Evaluation
CCACustomer Control Access
TLSTransport Layer Security
SSLSecure Sockets Layer
Learn more at
hp.com/go/StoreServ
Copyright 2011, 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft is a U.S. registered trademark of the Microsoft group of companies. Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
4AA3-7592ENW, August 2014, Rev. 1