APTARE StorageConsole Security Brief
Version 10.1.00
APTARE StorageConsole Security Brief
APTARE StorageConsole provides a platform for the following products:
APTARE StorageConsole Backup Manager
APTARE StorageConsole Capacity Manager
APTARE StorageConsole Fabric Manager
APTARE StorageConsole File Analytics
APTARE StorageConsole Virtualization Manager
APTARE StorageConsole Replication Manager
APTARE StorageConsole can be deployed securely in a variety of operational environments, including a private LAN, virtual private network (VPN), corporate Intranet and even the public Internet. The security features for APTARE StorageConsole communications (for example, between Web Client and Host) can be customized for your operational environment. APTARE StorageConsole can be configured to provide an end-to-end security context between the user’s browser and the APTARE StorageConsole Portal Server which provides security, privacy, user authentication and no repudiation. Messages between the APTARE StorageConsole Web Client and Portal Server (Portal) are secured when the server is configured to use HTTPS/SSL, which provides for authentication and encryption of traffic. SSL communication between the Portal and the Data Collectors is fully supported.
APTARE StorageConsole has a hub and spoke architecture with two main components:
Portal: A centralized location (the underlying database is embedded and includes licenses, etc. for Oracle 12c).
Data Collectors: For APTARE StorageConsole Backup Manager, the Data Collector interfaces with the underlying Backup Vendor Products (for example, Veritas NetBackup, Veritas Backup Exec, IBM TSM, EMC Avamar, EMC NetWorker, HP Data Protector, or Commvault Simpana) using the standard published interfaces to that backup product. Likewise, for APTARE StorageConsole Capacity Manager, the Data Collector uses storage array mechanisms specific to each vendor’s storage system (for example, HDS, IBM, EMC Symmetrix, EMC CLARiiON, Pure Storage, and NetApp). In addition, Host Resources data is acquired, as described in Managed Host Security. The data is parsed and packaged into Java objects; serialized into an HTTP or HTTPS data stream, compressed and sent over network via port 80 (HTTP) or port 443 (HTTPS) and inserted into the underlying Portal database.
Portal Server Architecture
APTARE StorageConsole uses a three-tiered architecture on the Portal Server(s):
Web Server: APTARE StorageConsole embeds Apache and applies the latest set of Apache security patches to eliminate all known security vulnerabilities.
Apache Tomcat: APTARE StorageConsole uses Tomcat as the Java Servlet engine. APTARE StorageConsole communicates between Apache and Tomcat using standard Apache connectors.
Oracle 12c database: APTARE StorageConsole communicates with the Oracle 12c database using JDBC.
The APTARE StorageConsole Portal deploys Apache Tomcat on a single web server and the Oracle 12c database on its own dedicated system.
Figure 1.1 Architecture with Port Numbers
Web Browser Security
All of the APTARE StorageConsole Portal features, including APTARE StorageConsole Capacity Manager, are accessible through a standard web browser that supports HTML 5. This native browser integration eliminates the need for Java applets, ActiveX controls, or any other piece of client-installed software. This browser-based user interface allows corporations to leverage standards-based security, such as SSL, to protect and encrypt traffic between the APTARE StorageConsole Portal and the client browser.
User Authentication
The APTARE StorageConsole Portal supports the following user authentication methods:
Local LDAP. APTARE StorageConsole Portal bundles OpenLDAP to manage user login authentication. For information about OpenLDAP, go to http://www.openldap.org.
Enterprise LDAP. Refers to any standard LDAP service, including Microsoft Active Directory. For information about Active Directory, go to Microsoft’s Active Directory portal.
By default, APTARE StorageConsole Portal uses OpenLDAP for user authentication.