RP P rp4vms Security Configuration Guide en Us

Security Configuration Guide
Dell RecoverPoint for Virtual Machines 6.0.1

Rev. 01
February 2024
This document provides detailed information of the security issues in RecoverPoint for Virtual Machines . Topics include:
• Revision History........................................................................................................................................................................................................ 2
• Overview.....................................................................................................................................................................................................................2
• Security certification............................................................................................................................................................................................... 2
• Operating system and networking....................................................................................................................................................................... 3
• Logs............................................................................................................................................................................................................................. 4
• User access control................................................................................................................................................................................................. 5
• User authorization....................................................................................................................................................................................................8
• Component access control.................................................................................................................................................................................. 10
• Communication security........................................................................................................................................................................................12
• Secure administration............................................................................................................................................................................................ 19
• Data security........................................................................................................................................................................................................... 23
• Secure serviceability settings............................................................................................................................................................................. 24
• Secure deployment................................................................................................................................................................................................25
• Other security considerations.............................................................................................................................................................................25
• Troubleshooting and getting help...................................................................................................................................................................... 26
• Appendix...................................................................................................................................................................................................................26
Revision History
The following table shows the revision history of this document:
Table 1. Revision history

Revision Date Description
01 February 2024 First release of Dell RecoverPoint for Virtual Machines 6.0.1.
Overview
provides a comprehensive data protection solution for enterprise and commercial customers, providing integrated business
continuity and disaster recovery solutions to recover application data to any point in time.
This guide provides an overview of the security provisions and settings available in , particularly of the operating system and the
network. This document is intended primarily for company personnel responsible for system administration and network security.
Related documents
The documents listed here provide additional information about operating and configuring .
documentation is available at https://www.dell.com/support. The following documents are especially relevant:
● Dell RecoverPoint for Virtual Machines Release Notes
● Dell RecoverPoint for Virtual Machines Cloud Solutions Guide
● Dell RecoverPoint for Virtual Machines Quick Start Installation Poster
● Dell RecoverPoint for Virtual Machines Installation and Deployment Guide
● Dell RecoverPoint for Virtual Machines Product Guide
● Dell RecoverPoint for Virtual Machines HTML5 Plugin Administrator’s Guide
● Dell RecoverPoint for Virtual Machines CLI Reference Guide
● Dell RecoverPoint for Virtual Machines Deployment REST API Programming Guide
● Dell RecoverPoint for Virtual Machines REST API Programmer's Guide
● Dell RecoverPoint for Virtual Machines RESTful API at https://developer.dell.com/apis.
Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.
CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the
problem.
WARNING: A WARNING indicates a potential for property damage, personal injury, or death.
Copyright
© 2018 - 2024 Dell Inc. or its subsidiaries. All rights reserved. Dell Technologies, Dell, and other trademarks are trademarks of
Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners.
Security certification
The Certification Body for the Canadian Common Criteria Evaluation and Certification Scheme (CCS) has accepted
RecoverPoint v4.4 into its certification program. The evaluation file number is 383-4-351.
2
FIPS 140-2 compliance
The following Federal Information Processing Standard (FIPS) 140-2 validated cryptographic modules are used in :
● RSA BSAFE ® Crypto-C Micro Edition (FIPS certificate 2056)
● RSA BSAFE ® Crypto-J, JSAFE, and JCE Software Modules (FIPS certificate 2057)
All modules were installed according to their respective security policies.
All encrypted network connections to and from appliances use only the above FIPS 140-2 validated cryptographic modules. On
new installations, the vRPA communication security level is set to Authenticated and Encrypted by default. To make the system
FIPS-140-2 compliant, verify that the vRPA communication security level is set to Authenticated and Encrypted on all vRPAs.
Operating system and networking

The following section broadly describes the operating system and networking aspects that relate to security.
operating system
The operating system is based on a standard Debian GNU/Linux 10 distribution that has been modified according to functional
and security requirements. Unessential Debian packages were removed (for operating system hardening), required packages
were added, and the latest security updates from Debian were applied.
operates the Linux at runlevel 2, full multi-user mode.
All extraneous default Linux daemons were disabled to decrease the attack surface. The following daemons are running:
● connectemc
● cron
● dbus-daemon
● getty
● init
● iscsid
● ipmievd
● ntpd
● snmpd (only when the snmp agent is enabled; disabled by default)
● startpar
● sshd
● rsyslogd
● tomcat
● udev
All user space applications are started automatically when the vRPA starts up.
Security hardening of third-party components

Third-party components that are deployed as part of the operating system were hardened.
Networking
Each vRPA has these virtual network interfaces:
● local area network (LAN)
● wide area network (WAN)
● 2 data network adapters (vNICs)
Each ESXi server has the following interfaces for connectivity between the splitter and the vRPAs:
● 1 or 2 VMkernel ports
3
For security information related to ESXi servers, refer to vSphere Security and the vSphere Security Hardening Guide for your
version of vCenter and vSphere.
Logs
Events
generates a log in response to events in the system.
To view events in the RecoverPoint for VMs vSphere Web Client, select RecoverPoint for VMs > Monitoring > Events, or use
the CLI.
To access the events using the Sysmgmt CLI, create an SSH connection to the vRPA management IP address, use your admin
username and password to log in to the Sysmgmt CLI. Then select System management CLI to open the Sysmgmt CLI.
Alternatively, if you have created a user with the sysmgmt role, use that user to log in directly to the Sysmgmt CLI.
In the Sysmgmt CLI, run the get_events_log command.
Event notification
offers the following options for external notification of events:
Email notification The email notification (alert) mechanism sends specified event alerts to addresses when the SMTP
(email) settings are enabled.
SNMP notification Users can configure to generate SNMP traps (notifications) of system events. The MIB can be
downloaded from the following location: https://www.dell.com/support
Syslog notification uses syslog to support event notification to a remote management application.
Consider the appropriate network settings for each event notification method that you want to configure.
System internal logs

The system maintains system log files for internal use by Customer Support and technical services personnel. Use the vSphere
Web Client to collect logs, according to the detailed instructions provided in the “Troubleshooting” section of the RecoverPoint
for VMs HTML5 Plugin Administrator’s Guide. Alternatively, use SSH to log in to to automatically collect system logs from
vRPAs using FTP, or FTPS, or as a web download.
Splitter logs
splitter logs are part of the ESXi logs. Instructions for retrieving ESXi logs using the vSphere Web Client are provided in the
“Troubleshooting” section of the RecoverPoint for VMs HTML5 Plugin Administrator’s Guide.
Audit logs
The log auditing facility captures all user actions in all user interfaces and logs the user actions that can be collected using log
collection.
The can be used to collect the audit logs.
The audit logs are collected as part of a full collection of vRPA logs, or can be specified for collection in a partial collection.
The following parameters are collected for each user action:
● Timestamp
● Username
● Origin IP
● Endpoint
4
○ CLI
○ SSH
○ FAPI
○ DAPI
○ Flex plug-in
○ HTML plug-in
○ New RESTful API
○ Installation Server
The collected audit logs can be found under home/kos/auditlog in the log collection archive.
User access control

is designed to be accessed via the vSphere Web Client. When a user is authenticated with vCenter Single Sign-On, that user
can access all installed vCenter services to which the user has been granted access. In addition, through the vSphere Web
Client plug-in, the user will have admin access to manage .
Access to vSphere plugin

The vCenter administrator controls whether a vCenter user shall be able to use the RecoverPoint for VMs vSphere HTML5
plugin.
To use the plugin, you must have the Manage custom attributes privilege (Global.Manage custom attributes) on the vCenter.
The vCenter administrator can disable use of the plugin for any user by removing this privilege for that user. In that case, the
system prevents you from doing anything through the plugin (and new RESTful API).
User access methods

This section describes the user interfaces to .
is designed to be accessed using the vSphere plug-in. Direct access to has not, however, been disabled in this version. The
security aspects of the following direct-access methods are discussed below.
Admin CLI The is a keyboard-interactive tool that allows you to modify and manage existing vRPA configurations,
and test and diagnose the settings and connectivity of those configurations before and after they are
attached to RPA clusters. Use SSH, with admin user and password, to access the Admin CLI.
Sysmgmt CLI The Sysmgmt CLI provides a command-line interface for nearly all the functions that are needed to
manage the system. It is useful for creating and running automated scripts. Alternatively, if you have
created a user with the sysmgmt role, use that user to log in directly to the Sysmgmt CLI.
REST API The REST API exposes a simple application programming interface that allows developers to integrate
with their own applications and to write scripts that automate operations.
User authentication
Each user is defined by a username, a password, and a single role. A role is a named set of access permissions. By assigning a
role to users, the users receive all the access permissions that are defined by the role.
provides two independent mechanisms for authenticating direct access of users: vRPA-based authentication and authentication
via the organization’s LDAP (Lightweight Directory Access Protocol) server. The two authentication mechanisms can be used
simultaneously or vRPA-based authentication can be used exclusively.
Predefined users
The vRPA is shipped with the admin user already defined:
5
Table 2. Predefined users for new installs
User Role Initial Password Permissions
admin administrator a admin b Array Configuration;
Boxmgmt; Data Transfer;
Failover; Group Clear
Settings; Group
Configuration; Splitter
Configuration; System
Configuration; Target Image;
SE; Security; Upgrade; View;
Web Download
a. The administrator role has all access permissions.

b. The admin user password serves as password also for the root user.
NOTE: The following predefined users are removed when upgrading to 5.3.x:
● security-admin
● boxmgmt
● SE
For new installs, the admin user cannot be removed.
It is always recommended that you change initial default passwords, whether your system is a new install or an upgrade from a
version earlier than 5.2.
You must set the admin password (which is also the root password) during installation.
If, for any reason, you need to change a password, follow this procedure:
1. Create an SSH connection to the vRPA management IP address, using your admin username and password to log into the
Boxmgmt CLI. Then select System management CLI to open the Sysmgmt CLI.
2. In the Sysmgmt CLI, run the set_password command to change the password for the current user, or run the set_user
command to change the password of another user, if your user role includes the security permission.
Only users with security permission can add users, and can remove and edit permissions for users that have previously been
added.
Changing the root password

For best system security, you must replace the default password for the root user with a strong password that is unique to your
system.
Steps
● You change the root password whenever you change the admin password. You must replace the default admin password
(and, hence, the default root password) as part of the procedure for installing new vRPA clusters for RecoverPoint for
VMs. Follow the password policy of your organization to set a strong admin password. This admin password serves also as
the root password across the vRPAs in your system, and changing the admin password is the only authorized method for
changing the root password. If you change the root password by any other method, the password change is not persistent,
and the admin password overwrites the new password.
CAUTION: If, however, you have upgraded your system from RecoverPoint for VMs 5.1.1.4, you could still be using
the default admin (and root) password. If so, run the procedure to change the admin password, as detailed in the
previous section.
Security permission
Making changes to users, roles, security levels or configuring LDAP requires the security permission. For a new install of , the
predefined admin user has security permission. In systems upgraded from 5.1.x, the predefined security-admin user is granted
this permission. It is possible to grant this permission to additional users and to remove the security-admin user.
6
You cannot edit roles or permissions for the predefined boxmgmt, SE, or admin user, or for the user you are currently logged in
as. You can create a new user with security role to edit security-admin. You cannot delete a role that is currently assigned to a
user.
Configuring local users

Use CLI commands to configure local users. You must be logged into the Sysmgmt CLI to use the CLI commands.
Perform the following steps to access Sysmgmt CLI to run the CLI commands:
1. Create an SSH connection to the vRPA management IP address.
2. Enter your admin username and password to log in to the .
3. Select System management CLI to open the Sysmgmt CLI.
Alternatively, if you have created a user with the sysmgmt role, log in directly to the Sysmgmt CLI.
The following CLI commands can be used to add, delete, modify, or view users and passwords:
Table 3. Permissions for CLI commands used for configuring local users
CLI command Permissions required
add_user Security
get_users View
remove_user Security
set_password Users can set only their own password.
set_user Security
Configuring LDAP-based authentication

Configure the LDAP-based authentication for using CLI commands.
Prerequisites
For to be able to work with an LDAP server, vRPAs must have access to either the LDAP port (by default, TCP port 389) or the
LDAPS port (by default, TCP port 636) on the LDAP server.
The following best practices are highly recommended when using LDAP authentication:
● Assign the least possible permissions to the Bind Distinguished Name; namely, Read All Properties and List Content
permissions for Search Base and its child objects only.
● Use LDAP over SSL (LDAPS). The LDAP protocol sends passwords over the network in plaintext. Using SSL avoids this
issue.
● Avoid using the term "admin" in the username (for example, "myname.admin").
About this task
NOTE: implementation of LDAP does not support Kerberos authentication.
For detailed instructions on the use of each of the CLI commands, see the User Commands chapter of the CLI Reference Guide.
Steps
1. Create an SSH connection to the vRPA management IP address.
2. Enter your admin username and password to log in to the .
3. Select System management CLI to open the Sysmgmt CLI.
NOTE: If the user is configured with the sysmgmt role, log in to Sysmgmt CLI directly.
4. Run the following commands to configure LDAP authentication:
7
Table 4. Permissions for CLI commands used for LDAP authentication
CLI command Permission required
clear_ldap_configuration Security
config_ldap Security
get_ldap_configuration View
test_ldap_connection Security
Local users' security level

Upon deployment of your RecoverPoint for VMs system, the Local users' security level is set by default to Basic. It is
recommended to change the Local users' security level to High to meet relevant security standards, such as those of the US
Department of Defense Security Technical Implementation Guides (DoD STIG).
High User passwords to access the vRPA must have eight characters, they can only be reset once in 24 hours.
At least two characters must be lower case, at least two must be upper case, and at least two must
be non-alphabetical (either digits or special characters). All user passwords expire in 90 days; the same
password cannot be reused until at least ten other passwords have been used. After changing the Local
users' security level to High, all users must change their password the next time they log in to the
system.
Basic User passwords to access the vRPA must have a minimum of five characters.
NOTE: Keep passwords in a place where they are secure and available to you.
The command-line interface (CLI) command set_security_level can be used to change the Local users's security level.
Regardless of the security level, any user who tries unsuccessfully three times to log on will be locked out. To unlock the user,
use the CLI command unlock_user. Only users with security permission can unlock a user.
When adding a cluster or vRPA to an existing cluster, the added cluster or vRPA receives the security settings (Local users'
security setting = [ Basic | High ] of the existing cluster.
Password restrictions are implemented at the application level, not at the operating system level.
Recovering forgotten passwords

Steps
● If users forget their passwords, a user with security privilege can reset the password.
● If all users with security role privilege have forgotten their passwords, contact Customer Support.
Local access may be required.
NOTE: Keep passwords in a place where they are secure and available to you.
User authorization
User authorization grants or denies users access to resources managed by . User authorization is identical irrespective of the
user authentication by or the LDAP server. User authorization can be limited to specific consistency groups.
A username, a password, and a role are defined for each user. A role is a named set of access permissions. Assign a role to the
users to ensure that the users receive all the access permissions that are linked to that role. The predefined administrator role
has all the access permission. Also the predefined sysmgmt role has all the permissions, except for Web Download and SE.
Access permissions lists the permissions that may be assigned to a role, and the permissions that are granted or denied to a
user.
8
Table 5. Access permissions
Permission Description
Array Configuration Manage storage arrays including automatic journal creation,
remote volume autoprovisioning, and snapshot integration.
Storage Management
Admin Access to .
Data Transfer Enable and disable access to image, and undo writes to the
image access log.
Failover Modify replication direction (use temporary and permanent
failover), initiate failover, verify failover.
Group Clear Settings To reset the system settings.
Group Configuration Create and remove consistency groups, and modify all
group settings except the groups that are in the Data
Transfer, Target Image, and Failover permissions. A user with
this permission may bookmark images and resolve settings
conflict.
SE Permission for use of full set of support commands, which are
displayed with enable_advanced_support_commands
Sysmgmt CLI command.
Security All UI actions and commands dealing with roles, users, LDAP
configuration, and security level.
Splitter Configuration Add or remove splitters, and attach or detach splitters to
volumes.
System Configuration Configure and manage email alerts, SNMP, System Reports,
rules, licenses, serial number, account ID, syslog, and other
system configuration parameters.
Target Image Enable and disable access to an image, resume distribution,
and undo writes to the image access log.
Upgrade Install vRPA software, vRPA maintenance, including upgrading
to a minor release, upgrading to a major release, replacing an
vRPA, and adding new vRPAs.
View View system information.
Web Download Download logs from the vRPA.
Access permissions Admin and Web Download cannot be assigned to new roles. Every role includes the View permission by
default.
Roles and launching CLIs

The role assigned to a user determines whether the is launched when you use that user to create an SSH connection to the
vRPA.
When you use the predefined admin user, or any user with the administrator role, the opens, and its main menu includes the
System management CLI option. Use that option if you want to access the Sysmgmt CLI later.
9
The is launched also when using any user with the admin role. In this case, the main menu does not include the System
management CLI option.
Using a user with any other role launches the Sysmgmt CLI directly. The permissions that belong to that role determine which
Sysmgmt CLI commands the user can run. The predefined sysmgmt role has the same permissions as the administrator role,
except for Web Download and SE. Hence, if you create a local user with the sysmgmt role, you can use it to launch directly to
the Sysmgmt CLI, and run almost all the Sysmgmt CLI commands.
Authorization using command-line interface

Use Sysmgmt CLI commands to modify user permissions, and define roles.
Create an SSH connection to the management IP address, and enter your admin username and password to log in to the to use
Sysmgmt CLI commands. Then, select System management CLI to open the Sysmgmt CLI.
The following Sysmgmt CLI commands can be used to modify user permissions and define roles:
Table 6. Sysmgmt CLI commands

CLI command Permission required
add_role Security
get_roles View
modify_role Security
remove_role Security
Automatic logout from command-line interface

RecoverPoint for VMs users are automatically logged out of the CLI after 30 minutes.
Component access control

Software components on vRPA communicate with each other using a proprietary communication protocol superimposed over
the network layer, allowing access only to components that adhere to the same protocol. The splitter (on each ESXi server)
communicates with vRPA over TCP/IP.
You may choose to encrypt all communications between vRPAs and to require full authentication. This is recommended. For
details, refer to About vRPA communication security level and Changing the RPA communication security level.
During deployment, requires vCenter administrator credentials. These credentials are encrypted and persist in the repository.
About vRPA communication security level

supports Message Passing Interface (MPI) security for communication between vRPAs, between vRPA clusters, with storage,
and with vCenters. This feature applies to vRPA communications within the cluster and communications between clusters
over WAN (IP), but not to cluster communications over Fibre Channel. MPI security offers the following vRPA communication
security levels. To view the vRPA communication security level of each cluster in the system, log in to the CLI as user = admin
(or another user with security permission), and use the CLI command get_security_settings.
Table 7. vRPA communication security levels

vRPA communication security level Description
Not authenticated, not encrypted Communication between vRPA clusters is not authenticated
or encrypted. However, vRPA clusters can communicate with
each other only by adhering to the proprietary protocol.
Authenticated and encrypted (default) vRPA clusters use certificates to authenticate each other
before communicating. All communication between vRPA
10
Table 7. vRPA communication security levels (continued)
vRPA communication security level Description
clusters is also encrypted using Advanced Encryption
Standard (Rijndael) with 256-bit keys.
Changing the RPA communication security level

Procedure for changing the RPA communication (authentication and encryption) security level
Steps
1. Use an SSH client to log in to the vRPA as user = admin. From the Main menu, select Setup > Advanced Options >
Security options > Change appliance communication security level.
2. For best security (recommended), select Authenticated and encrypted. This level is the default.
If improved performance is critical, select Not authenticated nor encrypted.
When the vRPA is attached to a cluster, the security level of all vRPA clusters in the system are changed.
vCenter Server credentials

The user enters VMware vCenter Servers credentials as part of deployment. The credentials allow to manage replication, to
orchestrate operations, and to display VMware vCenter Server data in a context.
To add additional vCenter Servers to a cluster, refer to “Adding a vCenter” in the RecoverPoint for Virtual Machines Installation
and Deployment Guide.
Accessing the plugin server

Use this procedure to enable SSH access to the plugin server.
Prerequisites
● Ensure that port 443 is open for communication with the plugin server VM and vCenter.
● Ensure that port 9443 is open for plugin server communication with the vRPAs.
● Port 22 is blocked by default. It can be opened and closed on demand.
NOTE: The plugin server does not have its own role-based access control (RBAC). Rather, use the username that you used
to register the vCenter to the plugin server to perform all the needed operations on the HTML5 plugin and the new RESTful
API.
Steps
1. Using VM console, log in to the plugin server as user root.
The default password for the root user is admin. Upon first login to the plugin server with VM console, replace this default
password with a strong unique password.
2. Stop and disable the firewall. Run:
a. systemctl stop SuSEfirewall2
b. systemctl disable SuSEfirewall2
3. Connect to the plugin server using SSH.
4. When done, re-enable and restart the firewall. Run:
a. systemctl start SuSEfirewall2
b. systemctl enable SuSEfirewall2
11
Regenerating encryption keys
The regenerate_encryption_keys CLI command allows a user with security permission to regenerate the system
encryption keys at any time. Perform the following steps to generate new encryption keys as required.
About this task

Regenerate encryption keys during the following scenarios:
● When there is a suspected security breach.
● When there is a communication problem such as when the WAN is down, the certificates are reset manually in each cluster.
● During a new installation, including vRPA addition or replacement, automatically generates random SSH host keys. However,
if any version of was previously installed on the vRPA, the SSH keys are not regenerated.
Steps
1. Enable cluster isolation mode. Use an SSH client to log in to the vRPA as user = admin. From the Main menu, select Setup
> Advanced Options > Security options > Enable/disable cluster isolation.
2. Select System management CLI to open the Sysmgmt CLI of the vRPA and run regenerate_encryption_keys.
Security options > View cluster's certificate. Copy the displayed certificate.
4. Log in to another vRPA cluster in the system: Use an SSH client to log in to the vRPA as user = admin. From the Main
menu, select Setup > Advanced Options > Security options > Change cluster certificate. Paste the certificate copied from
3.
5. Repeat this process for every vRPA cluster in the system that is not communicating with a cluster that has already been
updated.
6. Disable cluster isolation mode. In the Main menu, select Setup > Advanced Options > Security options > Enable/disable
cluster isolation.
Communication security
Communication security settings enable the establishment of secure communication channels between product components, as
well as between product components and external systems or components.
Supported services
The vRPA supports the following services:
Firewall The OS runs an iptables firewall that blocks all unused ports on the machine.
SSH Customers are encouraged to use a secure shell (SSH) when connecting to a vRPA. runs OpenSSH.
Web server ● uses Apache Tomcat for HTTPS.
● uses HTTPS for communication between the Management Application and the vRPAs. This
communication requires authentication. All UI traffic is fully encrypted using HTTPS. It is
recommended that customers provide their own security certificate.
SNMP ● SNMP communication is only available when accessing the vRPA directly, not when accessing through
the vSphere plug-in. supports monitoring and problem notification using the standard Simple Network
Management Protocol (SNMP).
● This includes support for SNMPv3, which adds security and remote configuration capabilities to
the previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM)
for message security and the View-based Access Control Model (VACM) for access control.
The architecture supports the concurrent use of different security, access control, and message
processing models. The system supports various SNMP queries to the agent on . In addition, the
system can be configured so that events generate SNMP traps which are sent to designated hosts
(that is, NMS servers). For more information about support for SNMP, see SNMP security.
● supports the default MIB-II and, on selected platforms, hardware monitoring of the platform. The MIB
can be downloaded from https://www.dell.com/support.
12
Transport layer security
The Secure Socket Layer (SSL) interfaces of the RPA support Transport Layer Security (TLS) protocol versions 1.1 and 1.2
(recommended). For backward compatibility, they can support TLS 1.0.
About this task

If all other products in the system with which the RPAs communicate support TLS 1.1 or higher, it is recommended that
users disable TLS 1.0 support. For details, see Knowledge Base Article 489544. Ensure that KVSS supports TLS 1.1 and 1.2 by
upgrading KVSS to the KVSS version provided with your version of .
Perform the following steps to reset the minimum TLS protocol version.
Steps
Security options > Set minimum Transport Layer Security protocol version.
2. Set minimum TLS version.
3. Reboot RPA.
4. Repeat this change on every RPA at every cluster in the system.
Data network considerations

Communication between the splitter on the ESXi host and the vRPAs must be configured to be over TCP/IP.
To allow the ESXi host to communicate with the vRPA Data vNICs, create one or two VMkernel ports on each ESXi node in an
ESXi cluster that has vRPAs, protected VMs, or copy VMs. For instructions, see the Installation and Deployment Guide.
To ensure connectivity between splitters and vRPAs, open firewall ports for inbound and outbound TCP communication for each
vRPA: 5020, 5040, 5042, 5044, and 5050. These ports are opened automatically in the ESXi firewall when you register an ESXi
cluster in .
Table 8. Data ports

Port Source -> Destination Protocol and description Effect if closed
5020 splitter (on ESXi) -> vRPA Inbound and outbound TCP Without communication
Data vNIC communication for each between splitter and vRPA:
vRPA. ● No replication.
● No test or failover on
replica side.
replica side.
replica side.
replica side.
13
Table 8. Data ports (continued)
replica side.
External ports
The external ports must be accessible to allow the cluster to communicate with servers outside the system.
Table 9. External ports

ICMP echo vRPA LAN vNIC -> ● ICMP is required between vRPAs when connecting vRPA ● Clusters fail to
requests vRPA LAN vNIC clusters. connect.
20 vRPA LAN vNIC -> FTP ● Outgoing FTP communications (TCP) (output only). ● Not possible to
server ● Used during installation and upgrades to download ISO download ISO image
image, if FTP is specified as the source; not required if or to upload logs
the Deployment Manager server is used as the ISO source using FTP.
(then HTTPs can be used). ● Replication not
● Can be used to upload support logs to the specified affected.
FTP server; not required if the support logs are manually
downloaded using HTTPS.
20 vRPA LAN vNIC -> ● Used to register on the ESRS server. ● Not possible to
ESRS register on the
ESRS server.
● Replication not
affected.
21 vRPA LAN vNIC -> FTP ● Outgoing FTP communications; for system info collection ● Not possible to
or FTPS server only (TCP) (output only). download ISO image
● Used during installation (FTP only) and upgrades (FTP or or to upload logs
FTPS) to download ISO image, if FTP is specified as the using FTP.
source; not required if the Deployment Manager server is ● Replication not
used as the ISO source (then HTTPs can be used). affected.
● Can be used to upload support logs to the specified FTP
server.
22 SSH client -> vRPA ● SSH and communications between vRPAs (TCP). ● No remote
LAN vNIC ● Required for CLI access to vRPAs. The source is the connection to CLI.
Management Server, the destination is the vRPA. ● Replication not
affected.
25 vRPA LAN vNIC -> ● Used for sending system mail (SMTP) email alerts from ● No email alerts sent.
SMTP server vRPA, if configured (TCP) (output only); ● No system reports
● Used for Call Home events, if configured. sent.
● Replication not
affected.
53 vRPA LAN vNIC -> ● DNS (TCP, UDP). ● No name resolution
DNS server ● Used for name resolution. Only required if in the of remote servers,
configuration, domain names are used for external servers e-mail alerts,
instead of IP addresses. system reports.
68 DHCP server -> vRPA ● Used to dynamically provide IP addresses to vRPAs ● vRPA will not be
LAN vNIC connecting to the network (UDP). assigned an IP if
DHCP is used.
80 Browser -> vRPA LAN ● Redirecting browsers to HTTPS (TCP). Disabled by default ● Typing the address
vNIC on new installations. in the URL bar
without qualifying
14
Table 9. External ports (continued)
it as https://
will yield an error
message.
● Replication not
affected.
123 vRPA LAN vNIC -> ● NTP (UDP). ● No synchronization
NTP server or another ● RecoverPoint for VMs: TCP is no longer used on this port with time server.
vRPA and may be closed. vRPAs may show
● Used for synchronizing with Network Time Protocol incorrect time.
server. Event time stamps
may be incorrect.
● Used between vRPAs in a cluster for time synchronization.
● Replication not
affected, but
snapshots may
show incorrect
times. Write-order
of snapshots not
affected.
161 MIB Browser -> vRPA ● SNMP (TCP, UDP). ● There will be SNMP
LAN vNIC ● Used for SNMP notifications. Also see port 10161. notification, but you
will not be able to
view or edit SNMP
values.
● Replication not
affected.
389 vRPA LAN vNIC -> ● LDAP (TCP) (output only). ● No LDAP
LDAP server ● Used for LDAP user authentication and authorization. Only authentication
required if LDAP is configured. Also see port 636. (unless using SSL).
443 Browser -> vRPA LAN NOTE: The vCenter Server port can be changed, as ● No RecoverPoint
vNIC needed, upon deployment or when registering a new GUI (unless port
vCenter Server. 80 using HTTP is
vRPA LAN vNIC ->
available).
vCenter ● HTTPS for management (TCP). ● Installation of
vRPA LAN vNIC -> ● Used to download vRPA logs, System Report alerts, EMC RecoverPoint for
ESRS server Secure Remote Services (ESRS), and communication with VMs plug-in on
third-party hardware (such as ESXs and VMs). vCenter fails.
vCenter ->vRPA LAN
vNIC ● Required during installation to install RecoverPoint for ● No RecoverPoint
Virtual Machines components on vCenter. for VMs
Plugin Server ->vRPA ● Required for plugin server communication with vRPAs management using
LAN vNIC (TCP). HTML5 plugin and
Plugin Server -> ● Required for plugin server communication with vCenter new RESTful API.
vCenter (TCP) ● RecoverPoint Plugin
fails.
443 vRPA LAN vNIC -> ● In RecoverPoint for VMs cloud solution (5.2.1 and later). ● No replication.
CDRS ● HTTPS for management (TCP). ● Recovery is not
vRPA LAN vNIC -> ● vRPA to CDRS amd AWS required for replication. possible.
AWS ● CDRA to CDRS (Internal to Cloud DR) required for
recovery to vCenter or VMware cloud on AWS.
CDRA -> CDRS
514 vRPA LAN vNIC -> ● System logs not available. ● System logs not
Syslog server ● Replication not affected. available.
● Syslog (TCP, UDP) (output only). ● Replication not
● Used to send Syslog information to an external server. affected.
Only required if Syslog is enabled and an external server is
specified.
15
Table 9. External ports (continued)
636 vRPA LAN vNIC -> ● LDAP over SSL (TCP) (output only). ● No LDAP over SSL
LDAP server ● Used for LDAP over SSL user authentication and authentication.
authorization. Required only if LDAP using SSL is
configured.
989 vRPA LAN vNIC -> ● FTPS (TCP) (output only). ● No FTPS transfers.
FTPS server ● Used for System Reports alerts and reporting via FTPS. ● If system reports
Only required if FTPS alerts or reports are configured. (SyR) is configured
to transfer by
FTPS, reports will
not be transferred
to System Reports
database.
990 vRPA LAN vNIC -> ● FTPS (TCP) (output only). ● No FTPS transfers.
FTPS server ● Used for System Reports alerts and reporting via FTPS. ● If system reports
Only required if FTPS alerts or reports are configured. (SyR) is configured
● Used for ISO download for system upgrades (5.2.1 or to transfer by
later). FTPS, reports will
● Used for upload of system logs (5.2.1 or later). not be transferred
to System Reports
database.
7225 vCenter plug-in GUI -> ● HTTPS protocol for communicating with the functional API ● No management
vRPA LAN vNIC (TCP, UDP). from vCenter
● Used by the vCenter Server plug-in running the GUI to Server
communicate with vRPAs. ● No replication
NOTE: When using vCenter linked mode, must be open
between each vCenter Server running a RecoverPoint for
VMs vSphere plugin and each vRPA cluster managed by
that plugin, regardless of whether the vCenter Server is
registered to that vRPA cluster.
8082 Deployment Manager ● HTTPS protocol for communication with the Installation ● No deployment
-> vRPA LAN vNIC Server (TCP). tools.
● Used by the Deployment Manager during installation and ● No installations or
upgrades. Deployment Manager needs to communicate upgrades.
with all RPAs in all clusters. Management ports preferred, ● Replication not
WAN ports are used as fallback. affected.
● Used for log collection. ● No log collection.
9080 vCenter -> ESXi ● This TCP port is on ESXi hosts, for internal communication ● No deployment of
in vSphere environments. It is included in this list because splitter VIBs during
it is used by for installing its splitter VIBs during system system installation.
deployment, as well as post-deployment. ● No deployment of
splitter VIBs on
additional registered
ESXi clusters post-
deployment.
10161 MIB Browser->vRPA ● SNMP over TLS (TCP); SNMP over DTLS (UDP). ● No encrypted
LAN vNIC ● Used for SNMP reporting. Only required if SNMP is SNMP.
configured.
16
Inter-cluster ports
The following ports must be accessible to clusters in this system, to allow inter-cluster communication. These ports need not be
accessible to any server outside the system.
Table 10. Inter-cluster ports

ICMP echo vRPA WAN vNIC -> ● ICMP is required between vRPAs when installing vRPA ● Installation fails.
requests vRPA WAN vNIC clusters or adding vRPAs to existing clusters. ● Cluster
management
operations fail.
22 SSH client -> vRPA ● Inbound SSH and communications between vRPAs (TCP). ● Diagnostic tools fail.
WAN vNIC ● WAN ports preferred, Management ports as fallback. ● Replication is not
affected.
22 vRPA WAN vNIC -> ● Inbound/outbound communications between vRPAs ● Replication is not
vRPA WAN vNIC affected.
5001 vRPA WAN vNIC -> ● iperf; performance measuring between vRPAs (inbound/ ● No performance
vRPAWAN vNIC outbound TCP). measurement.
● Used for collecting diagnostic and performance ● Replication is not
information between clusters. Best practice is to make this affected.
port available, but it is not required.
5020 vRPA WAN vNIC -> ● (inbound/outbound TCP, UDP). ● No .
vRPA WAN vNIC ● Required between vRPAs in different clusters for ● No replication.
replication.
5040 vRPA -> WAN vNIC ● (inbound/outbound TCP, UDP). ● No system.
vRPA WAN vNIC ● Required between vRPAs in different clusters for ● No replication.
replication.
5060 vRPA -> WAN vNIC ● mpi_perf (inbound/outbound TCP, UDP). ● No performance
vRPA WAN vNIC ● Used for collecting diagnostic and performance measurement.
information between clusters. Best practice is to make this ● Replication is not
port available, but it is not required. affected.
5080 vRPA WAN vNIC -> ● Connectivity diagnostics tool (inbound/outbound TCP, ● No connectivity
vRPA WAN vNIC UDP). diagnostics.
● Used for collecting diagnostic and performance ● No performance
information between clusters. Best practice is to make this measurement.
port available, but it is not required. ● Replication is not
affected.
5081 vRPA WAN vNIC -> ● Connectivity diagnostics tool (inbound/outbound UDP). ● No connectivity
vRPA WAN vNIC ● Used for collecting diagnostic and performance diagnostics.
information between clusters. Best practice is to make this ● No performance
port available, but it is not required. measurement.
● Replication is not
affected.
5100 vRPA WAN vNIC -> ● Cluster connector (inbound/outbound TCP, UDP), for ● Cannot add an
vRPA WAN vNIC connecting additional clusters. additional cluster to
the system.
8082 vRPA WAN vNIC -> ● Supports log collection (inbound/outbound TCP): ● Diagnostic tools fail
vRPA WAN vNIC connecting new vRPAs to cluster. ● Replication is not
affected.
● Diagnostic tools fail
● Replication is not
affected.
17
Table 10. Inter-cluster ports (continued)
● Cannot collect
support logs from
multiple vRPAs.
8084 vRPA WAN vNIC -> ● Used to communicate with configuration database on each ● No communication
vRPA WAN vNIC vRPA (inbound/outbound TCP) with configuration
database
9999 vRPA WAN vNIC -> ● udponger; connectivity diagnostics tool (inbound/ ● No connectivity
vRPA WAN vNIC outbound UDP). diagnostics. If tool is
● Used for diagnosing UDP connectivity between clusters. run, returns error.
Best practice is to make this port available, but it is not ● Replication is not
required. affected.
Intra-cluster ports
The following ports must be accessible to all RPAs in the same cluster, to allow intra-cluster communication. These ports need
not be accessible to any server outside the cluster. Note that ICMP is required between vRPAs when installing vRPA clusters or
adding vRPAs to existing clusters.
Table 11. Intra-cluster ports

123 vRPA -> LAN vNIC ● inbound/outbound TCP, UDP, used between vRPAs in a ● vRPAs may show
vRPA LAN vNIC cluster for time synchronization. incorrect time.
Event time stamps
may be incorrect.
● Replication not
affected, but
snapshots may
show incorrect
times. Write-order
of snapshots not
affected.
5020 vRPA LAN vNIC -> ● (inbound/outbound TCP, UDP). ● No .
vRPA LAN vNIC ● Required between vRPAs within the same cluster for ● No replication.
cluster management.
5021 vRPA -> LAN vNIC ● Used for storage process (TCP, UDP). ● Replication not
vRPA LAN vNIC affected.
5042 splitter -> vRPA LAN Inbound and outbound TCP communication for each vRPA. Without communication
vNIC between splitter and
vRPA:
● No replication.
● No test or failover
on replica side.
5044 splitter -> vRPA LAN Inbound and outbound TCP communication for each vRPA. Without communication
vNIC between splitter and
vRPA:
● No replication.
● No test or failover
on replica side.
5050 vRPA LAN vNIC -> ● (TCP, UDP). No replication
vRPA LAN vNIC
6015 vRPA -> LAN vNIC ● For cluster leader arbitration (UDP). ● Exposes system
vRPA LAN vNIC to single point
18
Table 11. Intra-cluster ports (continued)
● Required for cluster arbitration. Used for redundant of failure (namely,
communication between vRPAs. the repository
● RecoverPoint for VMs: WAN ports are also used for this volume) for leader
purpose. arbitration when
there is no
communication with
other vRPAs.
8082 vRPA LAN vNIC -> ● Inbound/outbound TCP, supports log collection: ● Cannot collect
vRPA LAN vNIC connecting new vRPAs to cluster. support logs from
multiple vRPAs.
8084 vRPA LAN vNIC -> ● Required between vRPAs within the same cluster for ● No .
vRPA LAN vNIC cluster management (TCP).
● Used to communicate with configuration database on each
vRPA
Secure administration
This topic provides recommendations about encrypting both communications within the system and over the network.
Steps
● Only encrypted (HTTPS) mode can be used to administer through the Management Application UI.
Changing the plugin server certificate

Use this procedure to change the plugin server certificate before the plugin server has been configured using Deployment
Manager.
About this task

Use this procedure, for instance, if you want to use a certificate that has been signed by your organization's internal certificate
authority.
Steps
1. Connect to the plugin server with root permissions.
2. Create a backup of the existing certificate and key files:
/etc/nginx/ssl/rpcenter.cert
/etc/nginx/ssl/rpcenter.key
3. Disable the firewall on the plugin server.
Run the command /sbin/SuSEfirewall2 off
4. Upload the new certificate and key files to /etc/nginx/ssl.
5. Rename the new certificate file to rpcenter.cert and the new key file to rpcenter.key.
6. Reboot the plugin server VM.
7. In the RecoverPoint for VMs Deployer, click Configure plugin server home screen.
Enter the plugin server IP address in IPv4 format, confirm the new certificate, and click Configure.
For more information, see the "Configure the plugin server" in the RecoverPoint for VMs Installation and Deployment Guide.
Results
RecoverPoint for VMs is configured to use the new plugin server certificate.
19
Next steps
NOTE:
Check that the certificate is the same across all vRPAs of the same cluster before adding the vRPA to the cluster.
Log into vSphere Client from the relevant vCenter Server and check that the RecoverPoint for VMs HTML5 plugin is displayed.
Changing a registered plugin server certificate

Use this procedure to change the plugin server certificate after the plugin server has already been configured using Deployment
Manager.
About this task

Use this procedure, for instance, if you want to use a certificate that has been signed by your organization's internal certificate
authority.
Steps
1. Connect to the plugin server with root permissions.
2. Create a backup of the existing certificate and key files:
/etc/nginx/ssl/rpcenter.cert
/etc/nginx/ssl/rpcenter.key
3. Disable the firewall on the plugin server.
Run the command /sbin/SuSEfirewall2 off
4. Upload the new certificate and key files to /etc/nginx/ssl.
5. Rename the new certificate file to rpcenter.cert and the new key file to rpcenter.key.
6. Power off the plugin server VM.
7. Unregister the RecoverPoint for VMs HTML5 plugin from the relevant vCenter Server.
See "Unregistering the plugin from the Managed Object Browser" in the RecoverPoint for VMs Installation and Deployment
Guide.
8. Power on the plugin server VM.
9. Navigate to https://RPCIP/ui.
10. Click Authorize and enter the vCenter Server Credentials.
11. Navigate to DELETE /vcs/{vc-id} near the bottom of the Swagger page.
12. Select Try it Out, enter the vCenter Server serial number, and select Execute.
A 204 response is returned.
13. In the RecoverPoint for VMs Deployer, click Configure plugin server home screen.
Enter the plugin server IP address in IPv4 format, confirm the new certificate, and click Configure.
For more information, see the "Configure the plugin server" in the RecoverPoint for VMs Installation and Deployment Guide.
Results
RecoverPoint for VMs is configured to use the new plugin server certificate.
Next steps
NOTE:
Ensure the certificate is the same across all vRPAs of the same cluster before adding the vRPA to the cluster.
Log into vSphere Client from the relevant vCenter Server and check that the RecoverPoint for VMs HTML5 plugin is displayed.
20
Encrypted communications
Inter-RPA communication
Communication between vRPAs can be configured to require authentication and encryption (refer to Changing the RPA
communication security level), even if they are in different clusters.
Network communication
applies a checksum to all replicated data and control messages to prevent corruption while data is in transit over LAN and WAN
IP networks. In addition, when the RPA communication security level is set to "Authenticated and encrypted", encryption and
VPN authentication provide increased data protection and integrity.
SSH security
Administration of through CLI is over SSH. Users who wish to do so can use the CLI command add_ssh_key to configure a
public key that enables secure communications without entering a password. See the CLI Reference Guide for more information
about this command’s parameters and usage.
Certificates handling
uses certificates to establish secure communications between devices.
RPA verifying an external server

When an vRPA initiates SSL communication with a server that is external to it, such as a vCenter Server, it authenticates the
server by verifying its certificate. RecoverPoint for VMs supports certificate verification for registration of vCenter Servers
(from Deployment UI, CLI, and vSphere Web Client plug-in).
Steps
● The user may accept an untrusted certificate, even when does not.
● vRPAs maintain a truststore of certificates that are signed by trusted certificate authorities (CAs).
Adding a certificate to a truststore

Perform the following steps to add a trusted certificate.
Steps
Security options > Certificates management > Truststore management > Add trusted certificate.
2. Enter required information.
3. To ensure an effective security policy, repeat this change on every RPA at every cluster in the system.
Removing a certificate from a truststore

Perform the following steps to remove a trusted certificate.
Steps
Security options > Certificates management > Truststore management > Remove trusted certificate.
2. Enter required information.
3. To ensure an effective security policy, repeat this change on every RPA at every cluster in the system.
21
External client verifying an RPA
To enable secure communication between vRPAand clients that are external to them, such as Internet browsers, create a
trusted certificate and install it on every vRPA in the system.
Steps
● For the procedure for creating trusted certificates, see Creating a user web certificate.
Installing a new web server certificate

Use this procedure to replace the current web server certificate.
Steps
Security Options > Certificates Management > Keystore Management > Change Web Server Certificate.
requires RSA keys with 2048-bit modulus or longer.
2. Change the current web server certificate to a non-default certificate.
Changing the certificate causes the web server to restart. Until it is fully operational again (a few minutes), the vRPA cannot
be accessed through the web client, and the Installation Server is not available.
3. To ensure an effective security policy, repeat these changes on every vRPA at every cluster in the system.
Next steps
If you are using a non-default certificate, check that the certificate is the same across all vRPAs of the same cluster before
adding the vRPA to the cluster.
HTTP Strict Transport Security (HSTS)

This topic explains the benefits of HTTP Strict Transport Security and how to activate it.
About this task

HTTP Strict Transport Security (HSTS) is a mechanism that protects secure (HTTPS) websites from being downgraded to
nonsecure HTTP. This mechanism enables web servers to instruct their clients (web browsers or other user agents) to use
secure HTTPS connections when interacting with the server, and never use the insecure HTTP protocol. HSTS is only available
with certificates signed by a Certificate Authority. The best practice is to use a Certificate Authority so that Strict Transport
Security can be used.
Steps
1. Create and install a web certificate that is signed by a Certificate Authority. Refer to Creating a user web certificate.
2. Activate HTTP Strict Transport Security: Use an SSH client to log in to the vRPA as user = admin. From the Main menu,
select Setup > Advanced options > Security options > Change web server "HTTP Strict Transport Security" HSTS"
mode.
Results
Changing the HTTP Strict Transport Security mode causes the web server to restart. Until it is fully operational again (a few
minutes), the vRPA cannot be accessed through the web client, and the Installation Server is not available.
Verifying when connecting a new vRPA cluster

To connect a new ("remote") vRPA cluster to an existing ("current") vRPA cluster, each side must authenticate the other.
Prerequisites
To ensure an effective security policy, including conclusive trust checks, it is recommended to replace default vRPA web server
certificates with valid and trusted certificates on all vRPAs at both clusters.
22
Steps
1. The remote vRPA cluster authenticates the current cluster by verifying that the current cluster knows the remote cluster's
admin password. The user should provide a password if the remote cluster credentials differ from the default and those of
the current cluster.
2. The vRPA at the current cluster authenticates the vRPA at the remote cluster by verifying its certificate, similar to the
verification an external server (see RPA verifying an external server).
The user may be prompted to approve the verification.
Secure administration when directly accessing a vRPA

When accessing a vRPA directly (not through the plug-in in the vSphere client), the following features and limitations are
relevant to secure administration.
SNMP security
supports encryption of the SNMP protocol, including the following features:
● SNMP with Advanced Encryption Standard (AES) support in the User-based Security Model.
● Ability to disable SNMPv1/v2 community strings.
● HTTPS web certificate will also service SNMP Transport Layer Security port.
Limitations
● Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP) are not supported.
● Secure Shell (SSH) transport is not supported for SNMP.
● MD5 based password hashes and DES-based privacy are not supported.
SNMP behavior
If Agent enabled is checked, hosts will be able to initiate SNMP queries to the SNMP agent; and system SNMP traps (event
notification) will be enabled.
If Send Event Traps is enabled, the system will send system SNMP notifications to the specified location.
For optimal security, when defining SNMPv3 users, specify a user certificate and do not specify a password. The certificate file
can contain more than one certificate; select one. All certificates in the file are equally valid.
Default SNMP behavior after new installations and upgrades

By default, SNMP is disabled in all new installations and disruptive upgrades.
WAN/LAN separation
The WAN, LAN and data traffic can be configured on different network adapters, and therefore on different subnets. does not
internally route IP traffic between the different interfaces. Network adapter topologies are available that route more than one
traffic type on one network adapter. IP forwarding is always disabled on the vRPA.
Data security
Data security settings enable controlling the unauthorized disclosure of permanently stored data.
23
User data at rest
Replicated data does not persist on the vRPAs. Configuration information is saved on the repository volume in the SAN, where
it is protected by standard SAN access controls; and on cluster leader vRPAs (1 and 2). Hashes of user passwords are saved on
the local disks of all vRPAs.
Data erasure
The only customer data that persists to disk are log events, authentication information, and configuration data. The actual data
replicated by resides in the customer's SAN environment, not on the vRPA. For this reason, a powered down vRPA will not
contain customer data beyond a portion of own configuration, such as network addresses assigned to it.
Secure serviceability settings

This section includes information about user SE and system reports and alerts. The entire section applies only when accessing
vRPA directly via SSH.
Customer support
User admin has the SE permission that enables access to the Sysmgmt CLI advanced support commands. These commands
comprise a full set of tools for system support. They are hidden by default, but can be displayed by using the
enable_advanced_support_commands Sysmgmt CLI command.
Take care to always use advanced support commands correctly, since incorrect use can cause harm to your
RecoverPoint for VMs system. When you have finished using the advanced support commands, re-hide them by using the
disable_advanced_support_commands command.
User root has full operating system privileges and is used by engineering during service tickets escalations. Root access is
logged using the standard Syslog mechanism, but due to the nature of root access, these logs can be manipulated by root.
Local access for user root is enabled using the relevant password. Local and remote support for user root is disabled by default
on new installations. It can be enabled and disabled as follows: Use an SSH client to log in to the vRPA as user = admin. From
the Main menu, select Setup > Advanced options > Security options > Enable/Disable root access. Root access should be
disabled whenever it is not needed.
System reports and alerts

vRPA send weekly configuration reports and state reports, as well as system events (whose scope is normal), to the System
Reports database, in real-time, through the System Alerts mechanism, using the SMTP settings configured. The system alert
mechanism will filter these events to determine whether a service request should be opened with Customer Support. Only
configuration and state data is sent; no customer data or statistics are collected. This mechanism is enabled by default, but can
be disabled at any time through the plug-in for vCenter or the CLI.
System Reports enhanced

If the customer vRPAs are registered with the Secure Remote Support (Secure Remote Services) gateway, Customer Support
can communicate with the customer vRPA over a VPN. This allows Customer Support to provide firsthand support, monitoring,
and auditing.
Secure Remote Services is used in the following cases:
● Customers call Customer Support and request to open a Service Request.
● automatically opens a Service Request (see Administrator’s Guide). In this case, Customer Support can connect to the
customer vRPA, collect system information, and investigate the nature of the event before they contacted the customer
about the nature of the event.
24
Secure deployment
The following procedure is the recommended practice for securely deploying and using in typical customer environments.
Steps
1. Consider enabling high password security. Refer to Local users' security level.
2. Change the default passwords. Delete unneeded users. Refer to Predefined users.
3. Install an X.509 certificate. Refer to Secure administration.
4. Configure VMware to allow access to vRPAs only from a trusted administration console and remote vRPA clusters.
Configure access for relevant servers (for example: to LDAP, NTP, DNS, SMTP; to and from SNMP, ESRS). proprietary
TCP/UDP ports should only be accessible from other vRPAs. The best practice is to deploy vRPAs in a dedicated subnet or
VLAN.
5. Control physical access to vSphere client and ESXi servers.
6. Control access to datastores on which the journals and repository are located.
Other security considerations

Secure Boot
5.3.2 and later versions support secure boot for the splitter and the JAM VIBs.
MD5 and SHA-256 checksums

All entities that are available for download are signed with MD5 and SHA-256 checksums, which you can use to verify the
integrity of your downloaded files.
OVA files signed by SRO

For 5.3.1, and later, the OVA files that you download from https://www.dell.com/support are signed using a certification file
that is provided by SRO. The signatures validate the authenticity of the OVF package. For additional information, see the
Installation and Deployment Guide.
GPG signatures for ISO files

For 5.3.1, and later, the ISO files that you download from https://www.dell.com/support are signed by GnuPG, which
implements the OpenPGP standard. The signatures validate the authenticity of the ISO files. For additional information, see
the Installation and Deployment Guide.
Resources beyond the control of

The following resources are beyond the control of . It is the responsibility of the customer to assure the availability, integrity,
and security of these resources. Compromising these resources may negatively affect operation and security.
● Passwords
Ensure that passwords are sufficiently complex that brute-force attacks fail, and are kept secret.
● Physical security
● Ensure that access to journal VMDKs and the repository VMDK is restricted to the vRPAs.
25
Troubleshooting and getting help
Product For documentation, release notes, software updates, or information about products, go to Online Support
Information at https://www.dell.com/support.
Technical support Go to Online Support and click Service Center. You can find several options for contacting Technical
Support. To open a service request, you must have a valid support agreement. Contact your sales
representative for details about obtaining a valid support agreement or with questions about your
account.
Appendix
The main body of this document presents essential information about security. This appendix provides additional detail on select
topics.
Creating a user web certificate

Steps
1. In OpenSSL toolkit (from any computer except the vRPA), create a new private key, using the following command:
openssl genrsa -out key.pem 2048
NOTE: requires RSA keys with a 2048-bit modulus or longer, and a sha512 hash.
2. Create a certificate signing request, using the following command:

openssl req -new -key key.pem -out server.csr -sha512
3. Optionally, you may remove the passphrase from the key, using the following command:
openssl rsa -in key.pem -out key_no_passphrase.pem
4. Sign the certificate. Use one of the following options:
Option Description
Have a Certificate Send the certificate you created to a Certificate Authority for signing. This is the best practice,
Authority sign because it allows you to use HTTP Strict Transfer Security (refer to HTTP Strict Transport Security
(HSTS)).
Self-sign Use the following command: openssl x509 -req -days days_valid (default=365)
-in server.csr -signkey key.pem -out server.crt -sha512
RecoverPoint for VMs cloud solution

The RecoverPoint for VMs integration with Cloud DR provides the ability to save VMware VM copies on the AWS S3 cloud. It
introduces vRPA interfaces to the AWS S3 bucket and the Cloud DR Server.
For instructions on using the RecoverPoint for VMs vSphere plug-in to register the AWS account and bucket, and install and
register the Cloud DR Server (CDRS), see the "Register cloud services and install CDRS" section of the RecoverPoint for VMs
Cloud Solutions Guide.
vRPA communication with the AWS S3 bucket

Authentication:
● When adding an AWS account, AWS authenticates the vRPA by verifying the credentials—user key and secret key—that
are provided by the vRPA.
● When registering an AWS S3 bucket, the AWS SDK on the vRPA is used to authenticate the S3 bucket.
Communication uses the HTTPS protocol and is, therefore, encrypted.
26
vRPA communication with the Cloud DR Server
CDRS authenticates vRPAs by password verification.
● If a CDRS is already installed in the AWS account, the CDRS is registered at the vRPA upon verifying the CDRS admin
password provided by the user.
● If a CDRS is not yet installed in the AWS account, the user enters a unique password for the CDRS admin user.
The CDRS is installed and registered at the specified vRPA cluster(s), and the specified password is set as the CDRS admin
user password.
● If you need to change the CDRS admin password, use the Cloud DR Server UI (see the RecoverPoint for VMs Cloud
Solutions Guide). Then use the RecoverPoint for VMs vSphere plug-in to re-register the CDRS for the vRPA clusters.
After CDRS registration, subsequent communication between the vRPA and CDRS is subject to ongoing token-based
authentication.
Communication uses the HTTPS protocol and is, therefore, encrypted.
27

RP P rp4vms Security Configuration Guide en Us

Uploaded by

Copyright:

Available Formats

RP P rp4vms Security Configuration Guide en Us

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RP P rp4vms Security Configuration Guide en Us

Uploaded by

Copyright:

Available Formats

Security Configuration Guide

Dell RecoverPoint for Virtual Machines 6.0.1

Table 1. Revision history

Notes, cautions, and warnings

Operating system and networking

Security hardening of third-party components

System internal logs

User access control

Access to vSphere plugin

User access methods

a. The administrator role has all access permissions.

Changing the root password

Configuring local users

Configuring LDAP-based authentication

About this task

NOTE: implementation of LDAP does not support Kerberos authentication.

4. Run the following commands to configure LDAP authentication:

Local users' security level

Recovering forgotten passwords

Roles and launching CLIs

Authorization using command-line interface

Table 6. Sysmgmt CLI commands

Automatic logout from command-line interface

Component access control

About vRPA communication security level

Table 7. vRPA communication security levels

Changing the RPA communication security level

vCenter Server credentials

Accessing the plugin server

About this task

About this task

Data network considerations

Table 8. Data ports

Table 9. External ports

Table 10. Inter-cluster ports

Table 11. Intra-cluster ports

Changing the plugin server certificate

About this task

Changing a registered plugin server certificate

About this task

RPA verifying an external server

Adding a certificate to a truststore

Removing a certificate from a truststore

Installing a new web server certificate

HTTP Strict Transport Security (HSTS)

About this task

Verifying when connecting a new vRPA cluster

Secure administration when directly accessing a vRPA

Default SNMP behavior after new installations and upgrades

Secure serviceability settings

System reports and alerts

System Reports enhanced

Other security considerations

MD5 and SHA-256 checksums

OVA files signed by SRO

GPG signatures for ISO files

Resources beyond the control of

Creating a user web certificate

2. Create a certificate signing request, using the following command: