search security configuration guide › ... › products › data-protection › docu9404… ·...
TRANSCRIPT
Dell EMC SearchVersion 19.1
Security Configuration Guide302-005-799
REV 01
Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.
Published May 2019
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners.
Published in the USA.
Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com
2 Dell EMC Search 19.1 Security Configuration Guide
Preface 5
Communication Security 9Port usage.................................................................................................. 10Network encryption ................................................................................... 12Cryptographic modules............................................................................... 12Login, session, and password protection..................................................... 12Firewall rules............................................................................................... 13NFS share................................................................................................... 13Elasticsearch REST API.............................................................................. 13Data security...............................................................................................13
Access control 15Default accounts......................................................................................... 16Search application settings......................................................................... 16Avamar action service settings....................................................................17NetWorker action service settings.............................................................. 17Common Index Service settings.................................................................. 18Configure LDAP and AD users.....................................................................18Maintaining the Search OpenLDAP server..................................................20Authentication configuration...................................................................... 20About roles..................................................................................................21
System Administrator role............................................................. 22Application Administrator role........................................................23Full Access Search (Global) role.................................................... 24Index specific search roles.............................................................25
Managing roles........................................................................................... 29Assign roles to users or groups...................................................... 29Remove users or groups................................................................ 30Edit role assignments..................................................................... 31
Log files......................................................................................................32Copy log files (WinSCP)................................................................ 33Copy log files (PuTTy) ..................................................................34
Managing logs............................................................................................ 34Managing logs for API-based services........................................... 34Managing logs for Worker and Action services.............................. 37Managing logs for Elasticsearch.................................................... 39Managing logs for Nginx................................................................ 40Manage logs for the Puppet agent................................................. 41
Chapter 1
Chapter 2
CONTENTS
Dell EMC Search 19.1 Security Configuration Guide 3
CONTENTS
4 Dell EMC Search 19.1 Security Configuration Guide
Preface
As part of an effort to improve product lines, periodic revisions of software andhardware are released. Therefore, all versions of the software or hardware currently inuse might not support some functions that are described in this document. Theproduct release notes provide the most up-to-date information on product features.
If a product does not function correctly or does not function as described in thisdocument, contact a technical support professional.
Note
This document was accurate at publication time. To ensure that you are using thelatest version of this document, go to the Support website https://www.dell.com/support.
PurposeThis document describes the security features and settings of Dell EMC Search.
AudienceThis document is intended for the following administrators who will be involved inmanaging Search.
l Search administrator
l Index administrator
Revision historyThe following table includes information about the revision history of this publication:
Table 1 Revision history
Revision Date Changes
01 May 20, 2019 GA release of the Search 19.1Security Configuration Guide.
Related documentationThe following publications provide additional information:
l Search Deployment and Administration Guide
l Search Security Configuration Guide
l E-Lab Navigator at https://elabnavigator.emc.com/eln/elnhome
l Search Release Notes
Special notice conventions that are used in this documentThe following conventions are used for special notices:
NOTICE
Identifies content that warns of potential business or data loss.
Preface 5
Note
Contains information that is incidental, but not essential, to the topic.
Typographical conventionsThe following type style conventions are used in this document:
Table 2 Style conventions
Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.
Italic Used for full titles of publications that are referenced in text.
Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, file names, file name extensions, prompts, andsyntax
l Commands and options
Monospace italic Used for variables.
Monospace bold Used for user input.
[ ] Square brackets enclose optional values.
| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.
{ } Braces enclose content that the user must specify, such as x, y, or z.
... Ellipses indicate non-essential information that is omitted from theexample.
You can use the following resources to find more information about this product,obtain support, and provide feedback.
Where to find product documentation
l https://www.dell.com/support
l https://community.emc.com
Where to get supportThe Support website https://www.dell.com/support provides access to productlicensing, documentation, advisories, downloads, and how-to and troubleshootinginformation. The information can enable you to resolve a product issue before youcontact Support.
To access a product-specific page:
1. Go to https://www.dell.com/support.
2. In the search box, type a product name, and then from the list that appears, selectthe product.
KnowledgebaseThe Knowledgebase contains applicable solutions that you can search for either bysolution number (for example, KB000xxxxxx) or by keyword.
Preface
6 Dell EMC Search 19.1 Security Configuration Guide
To search the Knowledgebase:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Knowledge Base.
3. In the search box, type either the solution number or keywords. Optionally, youcan limit the search to specific products by typing a product name in the searchbox, and then selecting the product from the list that appears.
Live chatTo participate in a live interactive chat with a support agent:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Contact Support.
3. On the Contact Information page, click the relevant support, and then proceed.
Service requestsTo obtain in-depth help from Licensing, submit a service request. To submit a servicerequest:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Service Requests.
Note
To create a service request, you must have a valid support agreement. For detailsabout either an account or obtaining a valid support agreement, contact a salesrepresentative. To get the details of a service request, in the Service RequestNumber field, type the service request number, and then click the right arrow.
To review an open service request:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Service Requests.
3. On the Service Requests page, under Manage Your Service Requests, clickView All Dell Service Requests.
Online communitiesFor peer contacts, conversations, and content on product support and solutions, go tothe Community Network https://community.emc.com. Interactively engage withcustomers, partners, and certified professionals online.
How to provide feedbackFeedback helps to improve the accuracy, organization, and overall quality ofpublications. You can send feedback to [email protected].
Preface
7
Preface
8 Dell EMC Search 19.1 Security Configuration Guide
CHAPTER 1
Communication Security
Communication security settings establish secure communication channels betweenproduct components and external systems or components. This chapter contains thefollowing topics:
l Port usage.......................................................................................................... 10l Network encryption ........................................................................................... 12l Cryptographic modules.......................................................................................12l Login, session, and password protection.............................................................12l Firewall rules.......................................................................................................13l NFS share...........................................................................................................13l Elasticsearch REST API...................................................................................... 13l Data security...................................................................................................... 13
Communication Security 9
Port usageThe ports that are listed in the following table are the Search default ports for thevarious components that all use the TCP/HTTPS protocol. Some of these ports canbe changed. Various configuration files must be manually edited.
The following table lists the required ports for Search.
Table 3 Default ports
Component Service Protocol Port Description
CommonIndexing Service
NGINX TCP/HTTPS
442 Secure access to Elasticsearch.
Search andAdmin UIs andAPIs
NGINX TCP/HTTPS
443 Admin web application.
Search web application.
Admin REST API.
Search REST API.
CommonIndexing Service
NGINX TCP/HTTPS
445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.
Elasticsearchcluster ports
NGINX TCP/HTTPS
9300–9400
Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.
Puppet Puppet TCP 8140,61613
Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to allow forcommunication during an automaticupgrade.
Avamar Client AvamarClient
TCP 28000-29000,30000-31000
Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.
NetWorkerClient
NetWorkerClient
TCP 7937-8100
Ports for NetWorker clientcommunicating with Networker server.
OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.
SSH sshd TCP 22 Client connects to server through ssh.
NFS nfs TCP 111,2049
Ports for communicating with NFS areonly opened internally.
The following figure displays port data flow and access. Inbound ports that are allowedinclude:
Communication Security
10 Dell EMC Search 19.1 Security Configuration Guide
l 443 (mandatory)
l 442
l 445
l 8140
l 61613
l 9300–9400
l 28000-29000
l 30000-31000
l 7937-8100
l 389
l 22
l 111
l 2049
Figure 1 Port data flow and access
The following figure displays communications between Search nodes.
Note
Ports are still open.
Figure 2 Communications between Search nodes
Communication Security
Port usage 11
Network encryptionThe following table outlines the encryption strategies that are employed.
Table 4 Encryption strategies
Communication Encryption type
Web browser and Search web server (Admin/Search web applications)
TLS 1.2 with server authentication
Web browser and CIS web server (if goingdirectly to CIS/Elasticsearch)
TLS 1.2 with mutual authentication
Search web server and CIS web server TLS 1.2 with mutual authentication
Search web server and Search Action serviceAPIs (Avamar/NetWorker)
TLS 1.2 with mutual authentication
Note
For Avamar, SSL between Search and the Avamar Web Service is used with keystoreto store the certificate for web service authentication. For NetWorker, backup andarchive data on UNIX and Windows hosts are encrypted with the aes ApplicationSpecific Module (ASM). The aes ASM provides 256-bit data encryption. Backup datais encrypted based on a user-defined pass phrase. If no pass phrase is specified, datais encrypted with the default pass phrase.
Cryptographic modulesThe following is a list of cryptographic modules that are used by Search:
l HS256 for signing JWT
l RSA1_5 2048 bit algorithms for encrypting the web tokens
l AES_256_GCM for lockbox encryption
l SHA256 2048 bit algorithms for NGINX SSL certificates
Disable the following ciphersuites:
l Null and low security ciphersuites
l Insecure algorithms: MD5, RC4, SHA1, and DES
l Little-used ciphers: kECDH, EXP, PSK, SRP, CAMELLIA, SEED, and DSS
Login, session, and password protectionThe local system accounts allow users to log in to the virtual machine and accessElasticsearch directly by using port http://localhost:9200. This port is not accessible
Communication Security
12 Dell EMC Search 19.1 Security Configuration Guide
remotely. Local system access allows unrestricted access to Elasticsearch. Therefore,it is important that local system access is restricted.
Note
Elasticsearch is accessible remotely through port 442 and requires CIS credentialsbefore login.
The Search login session expires after a 20 minute period of inactivity.
Firewall rulesSearch requires access to the following external (world wide) ports:
l 442:445 (Web/Rest API)
l 28000-29000, 30000-31000 (Avamar Client)
l 7937-8100 (NetWorker client)
l 22 (SSH)
Search requires access to the following internal ports:
l 389 (openLDAP)
l 8140 (Puppet Master and Master node only)
l 61613 (Puppet)
l 9300:9400 (Elasticsearch)
l 111, 2049 (NFS)
To use ports 9300–9400, CIS provides access to IP addresses within a subnet. Anexample subnet is 128.222.162.
Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate withother Elasticsearch nodes.
NFS shareThe Common Indexing Service (CIS) requires an NFS share to store backup files. Youcan only access this share internally, within a subnet.
For details, check the /etc/exports file.
Elasticsearch REST APIYou can use the Elasticsearch REST API to implement custom applications or widgets.However, Dell does not support this API.
For more information, see the Elasticsearch documentation.
Data securitySearch encrypts all in-flight data by using https.
Communication between Elasticsearch nodes is not encrypted.
Communication between Search node and local OpenLDAP is not encrypted.
Communication between Search node and NFS share is not encrypted.
Communication Security
Firewall rules 13
Communication Security
14 Dell EMC Search 19.1 Security Configuration Guide
CHAPTER 2
Access control
Access control settings provide protection of resources against unauthorized access.
This chapter contains the following topics:
l Default accounts.................................................................................................16l Search application settings.................................................................................16l Avamar action service settings........................................................................... 17l NetWorker action service settings......................................................................17l Common Index Service settings..........................................................................18l Configure LDAP and AD users............................................................................ 18l Maintaining the Search OpenLDAP server......................................................... 20l Authentication configuration..............................................................................20l About roles......................................................................................................... 21l Managing roles...................................................................................................29l Log files............................................................................................................. 32l Managing logs.................................................................................................... 34
Access control 15
Default accountsThe following table lists the default Search accounts.
Table 5 Default account names
Account type Username Description
User account admin l Default system, application, andsearch admin account
l Set at deployment time
Root user root l Root account for the virtualmachine terminal
l Set at deployment time
All other accounts are managed with an LDAP solution, such as Microsoft ActiveDirectory. Any external LDAP accounts are specified by using the SearchAdministration application.
Search application settingsThe /etc/nginx/nginx.conf file contains definitions for default ports and self-signed certificates for exposed UIs and REST APIs.
The /etc/nginx/nginx.search.conf file includes settings for the followingcomponents:
l Search UI
l Search REST API
l Admin UI
l Admin REST API
By default, in the /etc/nginx/nginx.search.conf file, the following settings areused:
l Port 443
l Self-signed certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/action/search/etc/certs/
ca.crtl Key /usr/local/search/etc/cert/server.keyTo make changes to the default port, self-signed certificate, ssl_client_certificate, orkey, edit the following file:
/etc/nginx/nginx.search.confAfter changes are made to the file, restart nginx.
Note
If a port is changed, update the firewall settings.
Access control
16 Dell EMC Search 19.1 Security Configuration Guide
The /etc/nginx/nginx.search.conf file also contains the followingconfigurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
l Prevent clickjacking configuration (add_header X-Frame-Options)
Avamar action service settingsWhen actions are triggered, the Search UI calls the Search action service. Inthe /etc/nginx/nginx.avamar-action.conf file, the Search action service isdefined.
By default, in the /etc/nginx/nginx.avamar-action.conf file, the followingsettings are used:
l Port 450
l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, orssl_client_certificate, edit the following file:
/etc/nginx/nginx.avamar-action.confAfter changes are made to the file, restart Nginx.
Note
If a port is changed, update the firewall settings.
The /etc/nginx/nginx.avamar-action.conf file also contains the followingconfigurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
NetWorker action service settingsWhen actions are triggered, the Search UI calls the Search action service. Inthe /etc/nginx/nginx.networker-action.conf file, the Search action serviceis defined.
By default, in the /etc/nginx/nginx.networker-action.conf file, thefollowing settings are used:
l Port 449
l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, orssl_client_certificate, edit the following file:
/etc/nginx/nginx.networker-action.conf
Access control
Avamar action service settings 17
After changes are made to the file, restart nginx.
Note
If a port is changed, update the firewall settings.
The /etc/nginx/nginx.networker-action.conf file also contains thefollowing configurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
Common Index Service settingsIn the /etc/nginx/nginx.cis.conf file, settings for the Common Index Service(CIS) are defined.
By default, the /etc/nginx/nginx.cis.conf file uses the following settings:
l Port 445
l Self-signed certificate /usr/local/search/etc/cert/server.crtl Key /usr/local/search/etc/cert/server.key
Note
As an Elasticsearch passthrough, CIS opens a secondary port. The default portchanges to 442.
To make changes to the default port, self-signed certificate, or key, edit the followingfile:
/etc/nginx/nginx.cis.confAfter changes are made to the file, restart nginx.
Note
If a port is changed, update the firewall settings.
Configure LDAP and AD usersSearch is configured with a built-in OpenLDAP service that includes preconfigureduser accounts and groups. The Admin user account is preconfigured to include thesystem, application, and search Admin roles, which provides access to all Searchfunctionality. While this account is useful for initial configuration, it is best practice toadd one or more external Active Directory (AD) or OpenLDAP servers, and assignusers or groups from those servers to Search roles. After you add the external AD orOpenLDAP servers, you can disable or remove the built-in OpenLDAP server.
The built-in OpenLDAP service is configured with a password policy to protect frombrute-force attacks, and also enables automatic account unlock to prevent an accountlockout attack.
The default Admin user account is not configured with an email address, and thereforecannot receive email notifications by default.
To configure LDAP and AD users, perform the following actions:
Access control
18 Dell EMC Search 19.1 Security Configuration Guide
Procedure
1. In the Manage drop-down list, select System.
The System Administration view appears.
2. Click Administration > Options > LDAP Options.
The LDAP Options window appears.
3. To add an LDAP server, click .
The Add LDAP Configuration window appears.
4. In the Name field, type the LDAP configuration name.
5. In the Server Type field, select either of the following authentication types:
l Active Directory
l OpenLDAP
6. In the LDAP Server field, type either of the following:
l Hostname of the LDAP or AD server
l IP address of the LDAP or AD server
7. In the LDAP port field, type the port number that the external authenticationauthority uses.
For LDAP, the default port number is 389.
For SSL, the default number for LDAPS changes to 636 when True is selected.
8. In the Base DN field, type the scope of the users and groups that areconsidered within the LDAP server.
For example:
DC=example, DC=comThe Base DN determines the structure of the LDAP server where the searchfilter is applied. This is usually similar to the domain name over which the LDAPserver has authority.
9. In the Username field:
a. Type a user account that has full read access to the LDAP or AD directory, inthe following format:
[email protected] example, [email protected]
l For Active Directory, ensure that the username is one of the following:
n Common name
n Email address
n Display name
n User principle name (UPN) in the following format:user@domain
n SAM account name in the following format:domain/user
n Distinguished name (DN)
Access control
Configure LDAP and AD users 19
l For OpenLDAP, ensure that the username is one of the following:
n Common name
n Email address
n Entry distinguished name
b. Ensure that the user has read access to the directory.
c. To include email notifications, define the email address for the account.
Note
Only Admin accounts with defined email addresses can receive emailnotifications.
10. In the Password field, type the password of the user account that you specifiedin the Username field.
11. In the SSL field, select either of the following options:
l To connect to an external authentication server using LDAPS, select True.
The default port number automatically changes to 636.
l To ignore secure connection settings, select False.
12. In the Default field, leave the option set to False.
The Default field refers to the Search built-in OpenLDAP server.
13. To test the connection, click Test Connection.
14. Click Save.
Maintaining the Search OpenLDAP serverYou can change the following settings by editing the settings in the /etc/openldap/slapd.conf configuration file:
l Anti-brute force
l Account lockout
l Master-consumer deployment setting
l Database replicate
l Unlock admin account
l Password
Authentication configurationThis section describes user accounts and groups for LDAP.
Users can remotely log in to the Search admin and search web-based interfaces onlyby using appropriate accounts that are configured in LDAP. Roles within the softwarealso determine a user's permissions when logged in.
The following table lists accounts and groups for LDAP.
Access control
20 Dell EMC Search 19.1 Security Configuration Guide
Table 6 LDAP server
Accounts andGroups
Description
System Administrator The System Administrator can:
l Assign the System Administrator role to other users and groups
l View the system health
l Configure and view system notifications
l Manage LDAP sources
ApplicationAdministrator
The Application Administrator can:
l Assign the following roles to users and groups:
n Application Administrator
n Full Access Search (Global)
l View the status of jobs on the source server
l Manage search roles for an index including the following:
n Full Access Search (Index)
n Read Only Search (Index)
l Add or edit a source
l Configure and view source notifications
l View the health of the source server
Search Administrator -All access
The Search Administrator - All access can:
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
Search Administrator -Read only
The Search Administrator - Read only can:
l Perform keyword searches
l Perform filter searches
l View metadata for the search results
l Restore files to the original location
About rolesA role defines the privileges and permissions for users to perform a group of tasks.
When you configure the Search virtual appliance, there are already predefined usersfrom OpenLDAP.
Access control
About roles 21
Note
When you launch the Search virtual appliance within IDPA System Manager, the userhas all admin access and full search access to all indexes. The IDPA single sign-onprivileges override the roles that are allocated in Search.
System Administrator roleThe System Administrator can perform the following tasks:
l Assign the System Administrator role to other users and groups
l View the system health
l Configure and view system notifications
l Manage LDAP sources
Assign the System Administrator role
To assign a System Administrator role, perform the following procedure. Only aSystem Administrator can add another System Administrator role.
Procedure
1. In the Manage drop-down list, select System.
The System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. Click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
Access control
22 Dell EMC Search 19.1 Security Configuration Guide
5. In the Manage Roles window, select System Administrator to assign the roleto the user or group that you added.
Example 1 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Application Administrator roleThe Application Administrator can manage specific configurations within the Searchvirtual appliance.
The Application Administrator can perform the following tasks:
l Assign the following roles to users and groups:
n Application Administrator
n Full Access Search (Global)
l View the status of jobs on the source server
l Manage search roles for an index including the following:
n Full Access Search (Index)
n Read Only Search (Index)
l Add or edit a source
l Configure and view source notifications
l View the health of the source server
Assign the Application Administrator role
Only an Application Administrator can assign the Application Administrator role.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Select Administration > Roles.
The Manage Roles window appears.
3. To add a user or group, click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
Access control
Application Administrator role 23
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. In the Manage Roles window, select Application Administrator to assign therole to the user or group that you added.
Example 2 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Full Access Search (Global) roleThe Full Access Search (Global) role is a global search administrator that overridesany setting on indexes.
Only an Application Administrator can assign the Full Access Search (Global) role.
The Full Access Search (Global) role can perform the following actions:
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
Assigning the Full Access Search (Global) role
Only an Application Administrator can assign the Full Access Search (Global) role.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
Access control
24 Dell EMC Search 19.1 Security Configuration Guide
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. To add a user or group, click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. In the Manage Roles window, select Full Access Search (Global) to assign therole to the user or group that has been added.
Example 3 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Index specific search rolesThe following roles can be applied to specific indexes.
Full Access Search (Index)Only an Application Administrator can assign the Full Access Search (Index) role.
The Full Access Search (Index) role can perform the following actions inside aspecified index:
Access control
Index specific search roles 25
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
The following figure illustrates how to assign the Full Access Search (Index) role.
Figure 3 Full Access Search (Index) role
Assign the Full Access Search (Index) role
Only an Application Administrator can assign the Full Access Search (Index) role for aspecific index.
Before you begin
Ensure that the user or group has been added as an Active Directory or OpenLDAPsource.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Indexes.
The list of indexes appears.
3. Select the Index that you want to give the user or group access to.
4. To manage search roles, click .
The Manage Search Roles window appears.
5. To add a user or group, click .
The Select User window appears.
6. In the Select User window, perform the following steps:
Access control
26 Dell EMC Search 19.1 Security Configuration Guide
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
7. In the Manage Roles window, select Full Access Search (Index) to assign therole to the user or group that has been added.
Example 4 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Read Only Search (Index) roleOnly an Application Administrator can assign the Read Only Search (Index) role.
The Read Only Search (Index) role can perform the following actions inside a specificindex:
l Perform keyword searches
l Perform filter searches
l View metadata for the search results
l Restore files to the original location
The following figure illustrates how to assign the Read Only Search (Index) role.
Access control
Index specific search roles 27
Figure 4 Read Only Search (Index) role
Assign the Read Only Search (Index) role
Only an Application Administrator can assign the Read Only Search (Index) role for aspecific index.
Before you begin
Ensure that the user or group has been added as an Active Directory or OpenLDAPsource.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Indexes.
The list of indexes appears.
3. Select the Index that you want to give the user or group access to.
4. To manage search roles, click .
The Manage Search Roles window appears.
5. To add a user or group, click .
The Select User window appears.
6. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
Access control
28 Dell EMC Search 19.1 Security Configuration Guide
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
To search for all users that contain Admin:
a. Type Admin.
b. Click Find.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
7. To assign the role to a user or group, select Read Only Search (Index).
The Read Only Search (Index) role cannot perform the following actions:
l See inline preview for hits
l View full preview for hits
l Download files locally
l Restore files to an alternate location
Managing rolesThis section describes how to add and edit user roles and assign access privileges toadministrators.
Assign roles to users or groupsWith the System Administrator or Application Administrator role, you can assign rolesto users or groups.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
Access control
Managing roles 29
3. To add a user or group, click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Note
If you click Find before specifying a substring, the entire directory isreturned. This action might slow performance.
To search for all users that contain Admin:
a. Type Admin.
b. Click Find.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. To assign a role to a user or group, click one or more of the following options:
l Application Administrator
l Search Administrator
Remove users or groupsWith the System Administrator or Application Administrator role, you can removeusers or groups.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
Access control
30 Dell EMC Search 19.1 Security Configuration Guide
2. Click Administration > Roles.
The Manage Roles window appears.
3. Click the name of the user or group you want to delete.
4. Click .
5. To remove the user or group, in the Confirm window, click Confirm.
Results
The users or groups are no longer listed.
Edit role assignmentsWith the System Administrator or Application Administrator role, you can assign oredit roles.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. Choose the user or group whose role you want to edit.
4. Click one or more of the following options:
l Application Administrator
l Full Access Search (Global)
The following figure displays the Manage Roles window.
Figure 5 Manage Roles window
Access control
Edit role assignments 31
Log filesAll logs files are stored on disk 3, the separated disk. The /usr/local/search/logis mapped to the /mnt/search/log. The logs are filed to a dedicated disk so theycannot fill the system disk.
The default log directory, /usr/local/search/log, contains the following logs.
Table 7 Log files
Logs Description
search-adminapi-nodename
Main log file for the Admin REST API
search-adminapi-stderr-nodename
List of API calls made into the Admin REST API
search-adminapi-stdout-nodename
Details about the debugging output for the Admin REST API
search-api-nodename Main log file for the Search REST API
search-api-stderr-nodename
List of API calls made into the Search REST API
search-api-stdout-nodename
Details about the debugging output for Search REST API
search-avamar-action-nodename
Main log file for the Avamar action service REST API
search-avamar-action-stderr-nodename
A succinct list of API calls made into the Avamar action serviceREST API
search-avamar-action-stdout-nodename
Details about the debugging output for the Avamar action serviceREST API
search-avamar-worker-nodename
Main log file for the Avamar Java worker service
search-avamar-worker-stdout-nodename
Details about the Avamar Java worker service settings
search-networker-action-nodename
Main log file for the NetWorker action service REST API
search-networker-action-stderr-nodename
A succinct list of API calls made into the NetWorker actionservice REST API
search-networker-action-stdout-nodename
Details about the debugging output for the NetWorker actionservice REST API
search-networker-worker-nodename
Main log file for the NetWorker Java worker service
search-networker-worker-stdout-nodename
Details about the NetWorker Java worker service settings
search-worker-nodename Main log file for the Search platform Java worker service
Access control
32 Dell EMC Search 19.1 Security Configuration Guide
Table 7 Log files (continued)
Logs Description
search-worker-stdout-nodename
Details about the Search platform Java worker service settings
Subdirectories contain the logs for the following services.
Table 8 Services and logs
Logs Description
Elasticsearch Index engine logs
CIS Common Index Service logs
Nginx Web server logs
Puppet Puppet master and agent logs
Use a secure FTP client, such as WinSCP or PuTTy (psftp), to copy log files from theSearch nodes to a Windows computer.
Note
The WinSCP tool provides a GUI, and retains the settings, including both local andremote directory locations.
Copy log files (WinSCP)Before you begin
Install WinSCP by downloading WinSCP from winscp.net.
Procedure
1. From the WinSCP wizard, select Stored sessions, and click New.
2. Add a session by completing the following fields:
l Hostname
l Port number (default is 22)
l Root username
l Password
3. Click Directories and complete the following fields:
l In the Remote directory field, type cd/usr/local/search/logl In the Local directory field, type local directory
4. To save the session:
a. Click Save.
b. Click Login.
5. Drag the logs from the Remote Directory section of the window to the LocalDirectory section of the window.
Access control
Copy log files (WinSCP) 33
Copy log files (PuTTy)Use a secure FTP client, such as PuTTy (psftp) to copy log files from the Searchnodes to a Microsoft Windows computer.
Before you begin
Download and install PuTTy from winscp.net.
Procedure
1. Log in with the Search Root user credentials that are created duringdeployment.
2. Change to the log directory:
cd/usr/local/search/log3. To download the log files, run the mget* command.
4. If required, unzip the log files.
Older versions of the logs are compressed based on size or date.
Managing logsAll log files are stored on disk 3, the separated disk. The logs are located in /usr/local/search/log. The logs are filed to a dedicated disk so they cannot fill thesystem disk.
The default log directory, /usr/local/search/log, is mapped to the /mnt/search/log.Follow the procedures in this section to learn how to manage the following logproperties:
l Log file location
l Log level
l Log size
l Log count
Managing logs for API-based servicesTo troubleshoot and diagnose problems, you can manage the log files of the followingservices and components:
l Admin API
l Search Admin API
l Common Indexing Service (CIS) Core
l CIS Scheduler
Log file location
The following table provides a summary of the log files available for the Admin/SearchREST API.
Access control
34 Dell EMC Search 19.1 Security Configuration Guide
Table 9 Admin/Search REST API log files
Module Configuration file Log file location Default loglevel
AdminAPI
/usr/local/search/etc/system.conf
{log_path}/search-adminapi-{host_name}.log
ERROR
{log_path}/search-adminapi-stdout-{host_name}.log
{log_path}/search-adminapi-stderr-{host_name}.log
SearchAPI
/usr/local/search/etc/system.conf
{log_path}/search-api-{host_name}.log
ERROR
{log_path}/search-api-stdout-{host_name}.log
{log_path}/search-api-stderr-{host_name}.log
Manage the log levelThe system.conf file provides the ability to modify the log level for the Admin/Search REST API.
To modify the log level, complete the following steps:
Procedure
1. Open the system.conf file with a text editor.
2. In the system.conf file, locate the following section:
"log": { "comments": "log.level VERBOSE = 0, INFO = 1, WARNING = 2, ERROR = 3", "admin_api": "/usr/local/search/log/search-adminapi-stevenzincdev.log", "search_api": "/usr/local/search/log/search-api-stevenzincdev.log", "level": 3 }
3. Change the log level by editing the level attribute:
Specify one of the following log levels:
l 0l 1l 2l 3
4. Restart the corresponding services.
Access control
Managing logs for API-based services 35
Manage log size and log countThe logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain.
Note
Cronjob runs on schedule on a daily basis to rotate API log files.
The following table outlines the logrotate configuration files for the Admin/SearchREST API, CIS core service, and CIS scheduler service.
Table 10 Configuration files
Service Configuration file
Admin API /etc/logrotate.d/search-adminapi.lr
Search API /etc/logrotate.d/search-api.lr
CIS core service /etc/logrotate.d/search-cis-core.lr
CIS scheduler service /etc/logrotate.d/search-cis-schedule.lr
Procedure
1. Open the corresponding logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/search-adminapi*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress lastaction pid=/var/run/search/search-adminapi.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript}
3. Change the log size and the number of log files to maintain, by editing therotate and size parameters.
where:
l rotate defines the number of archived log files that the Search softwaremaintains. The default value is 5.
l size defines the maximum size of the log file. The default value is 100M.
Access control
36 Dell EMC Search 19.1 Security Configuration Guide
Managing logs for Worker and Action servicesTo troubleshoot and diagnose problems, you can manage the log files for the followingservices and components:
l Avamar Action service
l Avamar Worker service
l NetWorker Action service
l NetWorker Worker service
l Search Worker service
Log file location
The following table provides a summary of the log files available for the actionservices, worker services, and system worker service.
Table 11 Worker Services log files
Module Configuration file Log file location
Search-Worker /usr/local/search/etc/log4j2-search-worker.xml
{log_path}/search-worker.log
Avamar-Worker /usr/local/search/etc/log4j2-search-avamar-worker.xml
{log_path}/search-avamar-worker-{host_name}.log
Networker-Worker /usr/local/search/etc/log4j2-search-networker-worker.xml
{log_path}/search-networker-worker-{host_name}.log
Avamar-Action-Service /usr/local/search/etc/log4j2-search-avamar-action.xml
{log_path}/search-avamar-action-{host_name}.log
Networker-Action-Service
/usr/local/search/etc/log4j2-search-networker-action.xml
{log_path}/search-networker-action-{host_name}.log
Manage the log levelThe log4j file provides the ability to modify the log level for the action services,worker services, and system worker service.
To modify the log level, complete the following steps:
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, perform the following tasks:
l To modify the log level for the Search Avamar Action service or the SearchNetWorker Action service, locate the following section:<Logger name="com.emc.zinc" level="error" additivity="false"> <AppenderRef ref="Routing"/> </Logger>
Access control
Managing logs for Worker and Action services 37
l To modify the log level for the Search Avamar Worker service, SearchNetWorker Worker service, or Search Worker service, locate the followingsection:<Root level="info"> <AppenderRef ref="Routing" /></Root>
3. Change the log level by editing the level attribute.
Specify one of the following log levels:
l tracel debugl infol warnl error
4. Restart the corresponding services.
Manage log size and log countThe log4j file manages the size of log files, and determines the number of archivedlog files to maintain for the action services, worker services, and system workerservice.
The following table lists the log4j configuration files.
Table 12 Configuration files
Service Configuration file
Avamar action service log4j2-search-avamar-action.xml
Avamar worker service log4j2-search-avamar-worker.xml
NetWorker action service log4j2-search-networker-action.xml
NetWorker worker service log4j2-search-networker-worker.xml
System worker service log4j2-search-worker.xml
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, locate the following section:
<Policies> <!-- <OnStartupTriggeringPolicy /> --> <!-- <TimeBasedTriggeringPolicy /> --> <SizeBasedTriggeringPolicy size="100 MB"/> </Policies> <DefaultRolloverStrategy max="5"/> </RollingFile>
3. Change the log size and the number of log files to maintain, by editing theSizeBasedTriggeringPolicy size and DefaultRolloverStrategymax attributes.
where:
Access control
38 Dell EMC Search 19.1 Security Configuration Guide
l SizeBasedTriggeringPolicy size defines the maximum size of thelog file. The default value is 100 MB.
l DefaultRolloverStrategy max defines the number of archived logfiles that the Search software maintains. The default value is 5.
Managing logs for ElasticsearchTo troubleshoot and diagnose problems, you can manage the log files for theElasticsearch service.
About the Elasticsearch logsThe Elasticsearch log files are located in /usr/local/search/log/elasticsearch. The default logging level is ERROR.
Elasticsearch uses log4j to manage the log file level, size, and count. Theconfiguration file for log4j is located at /etc/elasticsearch/log4j2.properties.
Manage the log levelThe log4j file provides the ability to modify the log level for Elasticsearch.
To modify the log level, complete the following steps:
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, locate the following section:
rootLogger.level = error
3. Change the log level by editing the rootLogger.level attribute.
Specify one of the following log levels:
l tracel debugl infol warnl error
4. Restart the corresponding services.
Manage log size and log countThe log4j utility manages the size of log files, and determines the number ofarchived log files to maintain for the Elasticsearch service.
Procedure
1. Open the log4j configuration file.
2. In the log4j configuration file, locate the sections that correspond to thefollowing logs:
l rollingl deprecation_rolling
Access control
Managing logs for Elasticsearch 39
l index_search_slowlog_rollingl index_indexing_slowlog_rolling
To adjust the size and number of retained logs, locate and modify the followingparameters for the log you want to manage:
Table 13 Elasticsearch log parameters
Parameter name Description Default value
appender.rolling.policies.size.size The maximum allowed log sizebefore rotation. Specify the value inKB, MB, or GB.
100 MB
appender.deprecation_rolling.policies.size.size
appender.rolling.strategy.max The maximum number of rotated logfiles to retain.
5
appender.deprecation_rolling.strategy.max
appender.index_search_slowlog_rolling.policies.time.interval
The duration of the logging period,in days.
1
appender.index_indexing_slowlog_rolling.policies.time.interval
Managing logs for NginxTo troubleshoot and diagnose problems, you can manage the log files for Nginx.
Configuration file locationThe following table provides a summary of the configuration files available for Nginx.All the Nginx configuration files are located in /etc/nginx.
Table 14 Nginx log files
Module Configuration file
Avamar action service nginx.avamar-action.conf
CIS nginx.cis.conf
Nginx nginx.conf
NetWorker action service nginx.networker-action.conf
Search service nginx.search.conf
Modifying the log levelThe Nginx logging options are highly configurable. The Nginx documentation providesmore information.
Manage log size and log count
The logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain. The Nginx logrotate configuration file is locatedat /etc/logrotate.d/nginx.lr.
Access control
40 Dell EMC Search 19.1 Security Configuration Guide
Procedure
1. Open the Nginx logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/nginx/nginx*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok lastaction pid=/var/run/nginx.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript
3. Change the log size and the number of log files to maintain, by editing therotate and size parameters.
where:
l rotate defines the number of archived log files that Nginx maintains. Thedefault value is 5.
l size defines the maximum size of the log file. The default value is 100M.
Manage logs for the Puppet agentTo troubleshoot and diagnose problems, you can manage the log files for the Puppetagent.
Manage the log levelThe upgrade.conf file provides the ability to modify the log level for the Puppetagent.
The Puppet agent log files are located in /etc/puppet/log/puppet_agent.log.The default logging level is WARN.
The configuration file for the Puppet agent log is located at /etc/puppet/upgrade.conf.
Procedure
1. Open the corresponding configuration file.
2. In the upgrade.conf configuration file, locate the following section:
loglevel="WARN"
3. Change the log level by editing the loglevel attribute.
Specify one of the following log levels:
l DEBUGl INFOl WARNl ERROR
Access control
Manage logs for the Puppet agent 41
4. Restart the corresponding services.
Manage log size and log count
The logrotate utility manages the size of log files, and determines the number ofarchived log files to maintain. The Puppet agent logrotate configuration file islocated at /etc/logrotate.d/puppet.lr.
Procedure
1. Open the Puppet agent logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/puppet/puppet_*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok}
3. Change the log size and the number of log files to maintain, by editing therotate and size parameters.
where:
l rotate defines the number of archived log files that Nginx maintains. Thedefault value is 5.
l size defines the maximum size of the log file. The default value is 100M.
Access control
42 Dell EMC Search 19.1 Security Configuration Guide