Managed Host Security
Version 10.1.00
Managed Host Security
APTARE StorageConsole Data Collector requires read-only access to execute non-intrusive commands on hosts. These commands are described in the following sections, for both Windows Servers and Linux environments. It is strongly recommended that a separate login account used strictly for APTARE StorageConsole be established and using Active Directory for Windows systems and the sudo command for Linux systems, restrict the commands that APTARE StorageConsole can issue. This best practice approach has proven successful in the deployment of APTARE StorageConsole at a very large, secure U.S. government agency with extremely stringent security requirements.
Microsoft Windows
Communication: The APTARE StorageConsole Data Collector communicates with Windows hosts through the native Windows Management Instrumentation service (WMI). WMI uses the Distributed Component Object Model (DCOM) to communicate and DCOM dynamically allocates the port numbers for clients. DCOM’s service typically runs on port 135 and any client communicating with a host connects on this port. Then, the DCOM service allocates the specific port for the WMI service. More information on DCOM and WMI can be found here: In addition, any hosts that have a Host Bus Adapter (HBA) need to have either HBA management software or fcinfo installed. See
Authentication: WMI uses NTLM authentication. Due to security restrictions imposed by Microsoft on the Plug and Play manager, the APTARE StorageConsole Data Collector requires an account in the local administrator’s group and uses Active Directory to restrict command execution.
Communication: The APTARE StorageConsole Data Collector communicates with Linux hosts via SSH and SSH2. If SSH is unavailable, the Data Collector will attempt to connect using telnet. By default, SSH uses TCP port 22 and Telnet uses TCP port 23.
Authentication: To access the volume managers and HBA APIs, the Data Collector needs to run privileged commands. If a root user is unavailable, the APTARE StorageConsole Data Collector can use pbrun, sudo, or similar technologies to temporarily elevate privileges.