Dell EMC Search Version 19.2 Security Configuration Guide Rev 01 November 2019
Dell EMC SearchVersion 19.2
Security Configuration GuideRev 01
November 2019
Copyright © 2018-2019 Dell Inc. or its subsidiaries. All rights reserved.
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.” DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND
WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED
IN THIS PUBLICATION REQUIRES AN APPLICABLE SOFTWARE LICENSE.
Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property
of their respective owners. Published in the USA.
Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com
2 Dell EMC Search Security Configuration Guide
Preface 5
Communication Security 9Port usage......................................................................................................... 10Network encryption ..........................................................................................12Cryptographic modules......................................................................................12Login, session, and password protection........................................................... 12Firewall rules......................................................................................................13NFS share..........................................................................................................13Elasticsearch REST API.....................................................................................13Data security..................................................................................................... 13
Access control 15Default accounts............................................................................................... 16Search application settings................................................................................16Avamar action service settings.......................................................................... 17NetWorker action service settings.....................................................................17Common Index Service settings........................................................................ 18Configure LDAP and AD users........................................................................... 18Maintaining the Search OpenLDAP server........................................................ 20Authentication configuration.............................................................................20About roles........................................................................................................ 21
System Administrator role.................................................................... 21Application Administrator role.............................................................. 22Full Access Search (Global) role.......................................................... 24Index specific search roles................................................................... 25
Managing roles..................................................................................................29Assign roles to users or groups............................................................ 29Remove users or groups.......................................................................30Edit role assignments............................................................................31
Log files.............................................................................................................31Copy log files (WinSCP)...................................................................... 33Copy log files (PuTTy) ........................................................................ 33
Managing logs...................................................................................................34Managing logs for API-based services..................................................34Managing logs for Worker and Action services.....................................36Managing logs for Elasticsearch...........................................................38Managing logs for Nginx...................................................................... 40Manage logs for the Puppet agent........................................................41
Chapter 1
Chapter 2
CONTENTS
Dell EMC Search Security Configuration Guide 3
Contents
4 Dell EMC Search Security Configuration Guide
Preface
As part of an effort to improve product lines, periodic revisions of software and hardware arereleased. Therefore, all versions of the software or hardware currently in use might not supportsome functions that are described in this document. The product release notes provide the mostup-to-date information on product features.
If a product does not function correctly or does not function as described in this document,contact a technical support professional.
Note: This document was accurate at publication time. To ensure that you are using the latestversion of this document, go to the Support website https://www.dell.com/support.
Purpose
This document describes the security features and settings of Dell EMC Search.
Audience
This document is intended for the following administrators who will be involved in managingSearch.
l Search administrator
l Index administrator
Revision history
The following table includes information about the revision history of this publication:
Table 1 Revision history
Revision Date Changes
01 November 15, 2019 GA release of the Search 19.2Security Configuration Guide.
Related documentation
The following publications provide additional information:
l Search Deployment and Administration Guide
l Search Security Configuration Guide
l E-Lab Navigator at https://elabnavigator.emc.com/eln/elnhome
l Search Release Notes
Special notice conventions that are used in this document
The following conventions are used for special notices:
NOTICE Identifies content that warns of potential business or data loss.
Note: Contains information that is incidental, but not essential, to the topic.
Typographical conventions
The following type style conventions are used in this document:
Dell EMC Search Security Configuration Guide 5
Table 2 Style conventions
Bold Used for interface elements that a user specifically selects or clicks,for example, names of buttons, fields, tab names, and menu paths.Also used for the name of a dialog box, page, pane, screen area withtitle, table label, and window.
Italic Used for full titles of publications that are referenced in text.
Monospace Used for:
l System code
l System output, such as an error message or script
l Pathnames, file names, file name extensions, prompts, andsyntax
l Commands and options
Monospace italic Used for variables.
Monospace bold Used for user input.
[ ] Square brackets enclose optional values.
| Vertical line indicates alternate selections. The vertical line means orfor the alternate selections.
{ } Braces enclose content that the user must specify, such as x, y, or z.
... Ellipses indicate non-essential information that is omitted from theexample.
You can use the following resources to find more information about this product, obtain support,and provide feedback.
Where to find product documentation
l https://www.dell.com/support
l https://community.emc.com
Where to get support
The Support website https://www.dell.com/support provides access to product licensing,documentation, advisories, downloads, and how-to and troubleshooting information. Theinformation can enable you to resolve a product issue before you contact Support.
To access a product-specific page:
1. Go to https://www.dell.com/support.
2. In the search box, type a product name, and then from the list that appears, select theproduct.
Knowledgebase
The Knowledgebase contains applicable solutions that you can search for either by solutionnumber (for example, KB000xxxxxx) or by keyword.
To search the Knowledgebase:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Knowledge Base.
Preface
6 Dell EMC Search Security Configuration Guide
3. In the search box, type either the solution number or keywords. Optionally, you can limit thesearch to specific products by typing a product name in the search box, and then selecting theproduct from the list that appears.
Live chat
To participate in a live interactive chat with a support agent:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Contact Support.
3. On the Contact Information page, click the relevant support, and then proceed.
Service requests
To obtain in-depth help from Licensing, submit a service request. To submit a service request:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Service Requests.
Note: To create a service request, you must have a valid support agreement. For details abouteither an account or obtaining a valid support agreement, contact a sales representative. Toget the details of a service request, in the Service Request Number field, type the servicerequest number, and then click the right arrow.
To review an open service request:
1. Go to https://www.dell.com/support.
2. On the Support tab, click Service Requests.
3. On the Service Requests page, under Manage Your Service Requests, click View All DellService Requests.
Online communities
For peer contacts, conversations, and content on product support and solutions, go to theCommunity Network https://community.emc.com. Interactively engage with customers, partners,and certified professionals online.
How to provide feedback
Feedback helps to improve the accuracy, organization, and overall quality of publications. You cansend feedback to [email protected].
Preface
Dell EMC Search Security Configuration Guide 7
Preface
8 Dell EMC Search Security Configuration Guide
CHAPTER 1
Communication Security
Communication security settings establish secure communication channels between productcomponents and external systems or components. This chapter contains the following topics:
l Port usage............................................................................................................................. 10l Network encryption .............................................................................................................. 12l Cryptographic modules.......................................................................................................... 12l Login, session, and password protection................................................................................ 12l Firewall rules.......................................................................................................................... 13l NFS share.............................................................................................................................. 13l Elasticsearch REST API......................................................................................................... 13l Data security..........................................................................................................................13
Dell EMC Search Security Configuration Guide 9
Port usageThe ports that are listed in the following table are the Search default ports for the variouscomponents that all use the TCP/HTTPS protocol. Some of these ports can be changed. Variousconfiguration files must be manually edited.
The following table lists the required ports for Search.
Table 3 Default ports
Component Service Protocol Port Description
CommonIndexing Service
NGINX TCP/HTTPS
442 Secure access to Elasticsearch.
Search andAdmin UIs andAPIs
NGINX TCP/HTTPS
443 Admin web application.
Search web application.
Admin REST API.
Search REST API.
CommonIndexing Service
NGINX TCP/HTTPS
445 CIS REST API. The Common IndexingService (CIS) provides a secure layerabove Elasticsearch.
Elasticsearchcluster ports
NGINX TCP/HTTPS
9300–9400
Ports for communicating withElasticsearch (Index data nodes).Elasticsearch cluster ports are onlyopened internally, and are not forexternal access.
Puppet Puppet TCP 8140,61613
Puppet master, agent, and console.Puppet ports must be open betweenSearch nodes to allow forcommunication during an automaticupgrade.
Avamar Client AvamarClient
TCP 28000-29000,30000-31000
Ports for Avamar client communicatingwith Avamar server. Each client requirestwo ports from each port range.
NetWorkerClient
NetWorkerClient
TCP 7937-8100
Ports for NetWorker clientcommunicating with Networker server.
OpenLDAP slapd TCP 389 Ports for the Search nodecommunicating with OpenLDAP, andsync between OpenLDAP, are onlyopened internally.
SSH sshd TCP 22 Client connects to server through ssh.
NFS nfs TCP 111,2049
Ports for communicating with NFS areonly opened internally.
The following figure displays port data flow and access. Inbound ports that are allowed include:
l 443 (mandatory)
Communication Security
10 Dell EMC Search Security Configuration Guide
l 442
l 445
l 8140
l 61613
l 9300–9400
l 28000-29000
l 30000-31000
l 7937-8100
l 389
l 22
l 111
l 2049
Figure 1 Port data flow and access
The following figure displays communications between Search nodes.
Note: Ports are still open.
Figure 2 Communications between Search nodes
Communication Security
Dell EMC Search Security Configuration Guide 11
Network encryptionThe following table outlines the encryption strategies that are employed.
Table 4 Encryption strategies
Communication Encryption type
Web browser and Search web server (Admin/Search web applications)
TLS 1.2 with server authentication
Web browser and CIS web server (if goingdirectly to CIS/Elasticsearch)
TLS 1.2 with mutual authentication
Search web server and CIS web server TLS 1.2 with mutual authentication
Search web server and Search Action serviceAPIs (Avamar/NetWorker)
TLS 1.2 with mutual authentication
Note: For Avamar, SSL between Search and the Avamar Web Service is used with keystore tostore the certificate for web service authentication. For NetWorker, backup and archive dataon UNIX and Windows hosts are encrypted with the aes Application Specific Module (ASM).The aes ASM provides 256-bit data encryption. Backup data is encrypted based on a user-defined pass phrase. If no pass phrase is specified, data is encrypted with the default passphrase.
Cryptographic modulesThe following is a list of cryptographic modules that are used by Search:
l HS256 for signing JWT
l RSA1_5 2048 bit algorithms for encrypting the web tokens
l AES_256_GCM for lockbox encryption
l SHA256 2048 bit algorithms for NGINX SSL certificates
Disable the following ciphersuites:
l Null and low security ciphersuites
l Insecure algorithms: MD5, RC4, SHA1, and DES
l Little-used ciphers: kECDH, EXP, PSK, SRP, CAMELLIA, SEED, and DSS
Login, session, and password protectionThe local system accounts allow users to log in to the virtual machine and access Elasticsearchdirectly by using port http://localhost:9200. This port is not accessible remotely. Local systemaccess allows unrestricted access to Elasticsearch. Therefore, it is important that local systemaccess is restricted.
Note: Elasticsearch is accessible remotely through port 442 and requires CIS credentialsbefore login.
The Search login session expires after a 20 minute period of inactivity.
Communication Security
12 Dell EMC Search Security Configuration Guide
Firewall rulesSearch requires access to the following external (world wide) ports:
l 442:445 (Web/Rest API)
l 28000-29000, 30000-31000 (Avamar Client)
l 7937-8100 (NetWorker client)
l 22 (SSH)
Search requires access to the following internal ports:
l 389 (openLDAP)
l 8140 (Puppet Master and Master node only)
l 61613 (Puppet)
l 9300:9400 (Elasticsearch)
l 111, 2049 (NFS)
To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnetis 128.222.162.
Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with otherElasticsearch nodes.
NFS shareThe Common Indexing Service (CIS) requires an NFS share to store backup files. You can onlyaccess this share internally, within a subnet.
For details, check the /etc/exports file.
Elasticsearch REST APIYou can use the Elasticsearch REST API to implement custom applications or widgets. However,Dell does not support this API.
For more information, see the Elasticsearch documentation.
Data securitySearch encrypts all in-flight data by using https.
Communication between Elasticsearch nodes is not encrypted.
Communication between Search node and local OpenLDAP is not encrypted.
Communication between Search node and NFS share is not encrypted.
Communication Security
Dell EMC Search Security Configuration Guide 13
Communication Security
14 Dell EMC Search Security Configuration Guide
CHAPTER 2
Access control
Access control settings provide protection of resources against unauthorized access.
This chapter contains the following topics:
l Default accounts....................................................................................................................16l Search application settings.................................................................................................... 16l Avamar action service settings...............................................................................................17l NetWorker action service settings......................................................................................... 17l Common Index Service settings............................................................................................. 18l Configure LDAP and AD users................................................................................................18l Maintaining the Search OpenLDAP server............................................................................ 20l Authentication configuration................................................................................................. 20l About roles.............................................................................................................................21l Managing roles...................................................................................................................... 29l Log files................................................................................................................................. 31l Managing logs....................................................................................................................... 34
Dell EMC Search Security Configuration Guide 15
Default accountsThe following table lists the default Search accounts.
Table 5 Default account names
Account type Username Description
User account admin l Default system, application, andsearch admin account
l Set at deployment time
Root user root l Root account for the virtualmachine terminal
l Set at deployment time
All other accounts are managed with an LDAP solution, such as Microsoft Active Directory. Anyexternal LDAP accounts are specified by using the Search Administration application.
Search application settingsThe /etc/nginx/nginx.conf file contains definitions for default ports and self-signedcertificates for exposed UIs and REST APIs.
The /etc/nginx/nginx.search.conf file includes settings for the following components:
l Search UI
l Search REST API
l Admin UI
l Admin REST API
By default, in the /etc/nginx/nginx.search.conf file, the following settings are used:
l Port 443
l Self-signed certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/action/search/etc/certs/ca.crtl Key /usr/local/search/etc/cert/server.keyTo make changes to the default port, self-signed certificate, ssl_client_certificate, or key, edit thefollowing file:
/etc/nginx/nginx.search.confAfter changes are made to the file, restart nginx.
Note: If a port is changed, update the firewall settings.
The /etc/nginx/nginx.search.conf file also contains the following configurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
l Prevent clickjacking configuration (add_header X-Frame-Options)
Access control
16 Dell EMC Search Security Configuration Guide
Avamar action service settingsWhen actions are triggered, the Search UI calls the Search action service. In the /etc/nginx/nginx.avamar-action.conf file, the Search action service is defined.
By default, in the /etc/nginx/nginx.avamar-action.conf file, the following settings areused:
l Port 450
l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, or ssl_client_certificate,edit the following file:
/etc/nginx/nginx.avamar-action.confAfter changes are made to the file, restart Nginx.
Note: If a port is changed, update the firewall settings.
The /etc/nginx/nginx.avamar-action.conf file also contains the following configurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
NetWorker action service settingsWhen actions are triggered, the Search UI calls the Search action service. In the /etc/nginx/nginx.networker-action.conf file, the Search action service is defined.
By default, in the /etc/nginx/nginx.networker-action.conf file, the following settingsare used:
l Port 449
l ssl_certificate_key /usr/local/search/etc/cert/server.keyl ssl_certificate /usr/local/search/etc/cert/server.crtl ssl_client_certificate /usr/local/search/etc/cert/ca.crtTo make changes to the default port, ssl_certificate_key, ssl_certificate, or ssl_client_certificate,edit the following file:
/etc/nginx/nginx.networker-action.confAfter changes are made to the file, restart nginx.
Note: If a port is changed, update the firewall settings.
The /etc/nginx/nginx.networker-action.conf file also contains the followingconfigurations:
l SSL protocols (ssl_protocols)
l SSL ciphers (ssl_prefer_server_ciphers, ssl_ciphers)
Access control
Dell EMC Search Security Configuration Guide 17
Common Index Service settingsIn the /etc/nginx/nginx.cis.conf file, settings for the Common Index Service (CIS) aredefined.
By default, the /etc/nginx/nginx.cis.conf file uses the following settings:
l Port 445
l Self-signed certificate /usr/local/search/etc/cert/server.crtl Key /usr/local/search/etc/cert/server.key
Note: As an Elasticsearch passthrough, CIS opens a secondary port. The default port changesto 442.
To make changes to the default port, self-signed certificate, or key, edit the following file:
/etc/nginx/nginx.cis.confAfter changes are made to the file, restart nginx.
Note: If a port is changed, update the firewall settings.
Configure LDAP and AD usersSearch is configured with a built-in OpenLDAP service that includes preconfigured user accountsand groups. The Admin user account is preconfigured to include the system, application, andsearch Admin roles, which provides access to all Search functionality. While this account is usefulfor initial configuration, it is best practice to add one or more external Active Directory (AD) orOpenLDAP servers, and assign users or groups from those servers to Search roles. After you addthe external AD or OpenLDAP servers, you can disable or remove the built-in OpenLDAP server.
About this task
The built-in OpenLDAP service is configured with a password policy to protect from brute-forceattacks, and also enables automatic account unlock to prevent an account lockout attack.
The default Admin user account is not configured with an email address, and therefore cannotreceive email notifications by default.
To configure LDAP and AD users, perform the following actions:
Procedure
1. In the Manage drop-down list, select System.
The System Administration view appears.
2. Click Administration > Options > LDAP Options.
The LDAP Options window appears.
3. To add an LDAP server, click .
The Add LDAP Configuration window appears.
4. In the Name field, type the LDAP configuration name.
5. In the Server Type field, select either of the following authentication types:
l Active Directory
l OpenLDAP
Access control
18 Dell EMC Search Security Configuration Guide
6. In the LDAP Server field, type either of the following:
l Hostname of the LDAP or AD server
l IP address of the LDAP or AD server
7. In the LDAP port field, type the port number that the external authentication authorityuses.
For LDAP, the default port number is 389.
For SSL, the default number for LDAPS changes to 636 when True is selected.
8. In the Base DN field, type the scope of the users and groups that are considered within theLDAP server.
For example:
DC=example, DC=comThe Base DN determines the structure of the LDAP server where the search filter is applied.This is usually similar to the domain name over which the LDAP server has authority.
9. In the Username field:
a. Type a user account that has full read access to the LDAP or AD directory, in thefollowing format:
[email protected] example, [email protected]
l For Active Directory, ensure that the username is one of the following:
n Common name
n Email address
n Display name
n User principle name (UPN) in the following format:user@domain
n SAM account name in the following format:domain/user
n Distinguished name (DN)
l For OpenLDAP, ensure that the username is one of the following:
n Common name
n Email address
n Entry distinguished name
n User ID (UID)
b. Ensure that the user has read access to the directory.
c. To include email notifications, define the email address for the account.
Note: Only Admin accounts with defined email addresses can receive emailnotifications.
10. In the Password field, type the password of the user account that you specified in theUsername field.
11. In the SSL field, select either of the following options:
Access control
Dell EMC Search Security Configuration Guide 19
l To connect to an external authentication server using LDAPS, select True.
The default port number automatically changes to 636.
l To ignore secure connection settings, select False.
12. In the Default field, leave the option set to False.
The Default field refers to the Search built-in OpenLDAP server.
13. To test the connection, click Test Connection.
14. Click Save.
Maintaining the Search OpenLDAP serverYou can change the following settings by editing the settings in the /etc/openldap/slapd.conf configuration file:
l Anti-brute force
l Account lockout
l Master-consumer deployment setting
l Database replicate
l Unlock admin account
l Password
Authentication configurationThis section describes user accounts and groups for LDAP.
Users can remotely log in to the Search admin and search web-based interfaces only by usingappropriate accounts that are configured in LDAP. Roles within the software also determine auser's permissions when logged in.
The following table lists accounts and groups for LDAP.
Table 6 LDAP server
Accounts and Groups Description
System Administrator The System Administrator can:
l Assign the System Administrator role to other users and groups
l View the system health
l Configure and view system notifications
l Manage LDAP sources
ApplicationAdministrator
The Application Administrator can:
l Assign the following roles to users and groups:
n Application Administrator
n Full Access Search (Global)
l View the status of jobs on the source server
l Manage search roles for an index including the following:
n Full Access Search (Index)
Access control
20 Dell EMC Search Security Configuration Guide
Table 6 LDAP server (continued)
Accounts and Groups Description
n Read Only Search (Index)
l Add or edit a source
l Configure and view source notifications
l View the health of the source server
Search Administrator -All access
The Search Administrator - All access can:
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
Search Administrator -Read only
The Search Administrator - Read only can:
l Perform keyword searches
l Perform filter searches
l View metadata for the search results
l Restore files to the original location
About rolesA role defines the privileges and permissions for users to perform a group of tasks.
When you configure the Search virtual appliance, there are already predefined users fromOpenLDAP.
Note: When you launch the Search virtual appliance within IDPA System Manager, the userhas all admin access and full search access to all indexes. The IDPA single sign-on privilegesoverride the roles that are allocated in Search.
System Administrator roleThe System Administrator can perform the following tasks:
l Assign the System Administrator role to other users and groups
l View the system health
l Configure and view system notifications
l Manage LDAP sources
Assign the System Administrator role
About this task
To assign a System Administrator role, perform the following procedure. Only a SystemAdministrator can add another System Administrator role.
Procedure
1. In the Manage drop-down list, select System.
The System Administration view appears.
Access control
Dell EMC Search Security Configuration Guide 21
2. Click Administration > Roles.
The Manage Roles window appears.
3. Click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. In the Manage Roles window, select System Administrator to assign the role to the useror group that you added.
Example 1 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Application Administrator roleThe Application Administrator can manage specific configurations within the Search virtualappliance.
The Application Administrator can perform the following tasks:
l Assign the following roles to users and groups:
n Application Administrator
n Full Access Search (Global)
l View the status of jobs on the source server
l Manage search roles for an index including the following:
Access control
22 Dell EMC Search Security Configuration Guide
n Full Access Search (Index)
n Read Only Search (Index)
l Add or edit a source
l Configure and view source notifications
l View the health of the source server
Assign the Application Administrator role
About this task
Only an Application Administrator can assign the Application Administrator role.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Select Administration > Roles.
The Manage Roles window appears.
3. To add a user or group, click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. In the Manage Roles window, select Application Administrator to assign the role to theuser or group that you added.
Example 2 Search for all users
To search for all users that contain Admin:
Access control
Dell EMC Search Security Configuration Guide 23
Example 2 Search for all users (continued)
1. Type Admin.
2. Click Find.
Full Access Search (Global) roleThe Full Access Search (Global) role is a global search administrator that overrides any setting onindexes.
Only an Application Administrator can assign the Full Access Search (Global) role.
The Full Access Search (Global) role can perform the following actions:
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
Assigning the Full Access Search (Global) role
About this task
Only an Application Administrator can assign the Full Access Search (Global) role.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. To add a user or group, click .
The Select User window appears.
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.
Access control
24 Dell EMC Search Security Configuration Guide
Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. In the Manage Roles window, select Full Access Search (Global) to assign the role to theuser or group that has been added.
Example 3 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Index specific search rolesThe following roles can be applied to specific indexes.
Full Access Search (Index)Only an Application Administrator can assign the Full Access Search (Index) role.
The Full Access Search (Index) role can perform the following actions inside a specified index:
l Full content index a search result
l Preview search results
l Download files locally
l Restore files to original or alternate location
The following figure illustrates how to assign the Full Access Search (Index) role.
Access control
Dell EMC Search Security Configuration Guide 25
Figure 3 Full Access Search (Index) role
Assign the Full Access Search (Index) role
Only an Application Administrator can assign the Full Access Search (Index) role for a specificindex.
Before you begin
Ensure that the user or group has been added as an Active Directory or OpenLDAP source.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Indexes.
The list of indexes appears.
3. Select the Index that you want to give the user or group access to.
4. To manage search roles, click .
The Manage Search Roles window appears.
5. To add a user or group, click .
The Select User window appears.
6. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
Access control
26 Dell EMC Search Security Configuration Guide
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
7. In the Manage Roles window, select Full Access Search (Index) to assign the role to theuser or group that has been added.
Example 4 Search for all users
To search for all users that contain Admin:
1. Type Admin.
2. Click Find.
Read Only Search (Index) roleOnly an Application Administrator can assign the Read Only Search (Index) role.
The Read Only Search (Index) role can perform the following actions inside a specific index:
l Perform keyword searches
l Perform filter searches
l View metadata for the search results
l Restore files to the original location
The following figure illustrates how to assign the Read Only Search (Index) role.
Access control
Dell EMC Search Security Configuration Guide 27
Figure 4 Read Only Search (Index) role
Assign the Read Only Search (Index) role
Only an Application Administrator can assign the Read Only Search (Index) role for a specificindex.
Before you begin
Ensure that the user or group has been added as an Active Directory or OpenLDAP source.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
2. Click Administration > Indexes.
The list of indexes appears.
3. Select the Index that you want to give the user or group access to.
4. To manage search roles, click .
The Manage Search Roles window appears.
5. To add a user or group, click .
The Select User window appears.
6. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
Access control
28 Dell EMC Search Security Configuration Guide
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
To search for all users that contain Admin:
a. Type Admin.
b. Click Find.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
7. To assign the role to a user or group, select Read Only Search (Index).
The Read Only Search (Index) role cannot perform the following actions:
l See inline preview for hits
l View full preview for hits
l Download files locally
l Restore files to an alternate location
Managing rolesThis section describes how to add and edit user roles and assign access privileges toadministrators.
Assign roles to users or groupsAbout this task
With the System Administrator or Application Administrator role, you can assign roles to users orgroups.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. To add a user or group, click .
The Select User window appears.
Access control
Dell EMC Search Security Configuration Guide 29
4. In the Select User window, perform the following steps:
a. In the Name field, restrict the search to one of the following categories:
l Users or Groups
l Users
l Groups
b. Type the name of the user or group.
c. In the Directory field, specify an authentication provider.
For example, the name of the Active Directory.
d. Click Find.
The list of user or user groups appears.Note: If you click Find before specifying a substring, the entire directory is returned.This action might slow performance.
To search for all users that contain Admin:
a. Type Admin.
b. Click Find.
e. Select a user, group, or click Select all.
f. Click OK.
The Manage Roles window appears.
5. To assign a role to a user or group, click one or more of the following options:
l Application Administrator
l Search Administrator
Remove users or groupsWith the System Administrator or Application Administrator role, you can remove users or groups.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. Click the name of the user or group you want to delete.
4. Click .
5. To remove the user or group, in the Confirm window, click Confirm.
Access control
30 Dell EMC Search Security Configuration Guide
Results
The users or groups are no longer listed.
Edit role assignmentsWith the System Administrator or Application Administrator role, you can assign or edit roles.
Procedure
1. In the Manage drop-down list, select one of the following options:
l AvamarThe Avamar Administration view appears.
l NetWorkerThe NetWorker Administration view appears.
l SystemThe System Administration view appears.
2. Click Administration > Roles.
The Manage Roles window appears.
3. Choose the user or group whose role you want to edit.
4. Click one or more of the following options:
l Application Administrator
l Full Access Search (Global)
The following figure displays the Manage Roles window.
Figure 5 Manage Roles window
Log filesAll logs files are stored on disk 3, the separated disk. The /usr/local/search/log is mappedto the /mnt/search/log. The logs are filed to a dedicated disk so they cannot fill the systemdisk.
The default log directory, /usr/local/search/log, contains the following logs.
Access control
Dell EMC Search Security Configuration Guide 31
Table 7 Log files
Logs Description
search-adminapi-nodename
Main log file for the Admin REST API
search-adminapi-stderr-nodename
List of API calls made into the Admin REST API
search-adminapi-stdout-nodename
Details about the debugging output for the Admin REST API
search-api-nodename Main log file for the Search REST API
search-api-stderr-nodename
List of API calls made into the Search REST API
search-api-stdout-nodename
Details about the debugging output for Search REST API
search-avamar-action-nodename
Main log file for the Avamar action service REST API
search-avamar-action-stderr-nodename
A succinct list of API calls made into the Avamar action serviceREST API
search-avamar-action-stdout-nodename
Details about the debugging output for the Avamar action serviceREST API
search-avamar-worker-nodename
Main log file for the Avamar Java worker service
search-avamar-worker-stdout-nodename
Details about the Avamar Java worker service settings
search-networker-action-nodename
Main log file for the NetWorker action service REST API
search-networker-action-stderr-nodename
A succinct list of API calls made into the NetWorker actionservice REST API
search-networker-action-stdout-nodename
Details about the debugging output for the NetWorker actionservice REST API
search-networker-worker-nodename
Main log file for the NetWorker Java worker service
search-networker-worker-stdout-nodename
Details about the NetWorker Java worker service settings
search-worker-nodename Main log file for the Search platform Java worker service
search-worker-stdout-nodename
Details about the Search platform Java worker service settings
Subdirectories contain the logs for the following services.
Table 8 Services and logs
Logs Description
Elasticsearch Index engine logs
Access control
32 Dell EMC Search Security Configuration Guide
Table 8 Services and logs (continued)
Logs Description
CIS Common Index Service logs
Nginx Web server logs
Puppet Puppet master and agent logs
Use a secure FTP client, such as WinSCP or PuTTy (psftp), to copy log files from the Searchnodes to a Windows computer.
Note: The WinSCP tool provides a GUI, and retains the settings, including both local andremote directory locations.
Copy log files (WinSCP)Before you begin
Install WinSCP by downloading WinSCP from winscp.net.
Procedure
1. From the WinSCP wizard, select Stored sessions, and click New.
2. Add a session by completing the following fields:
l Hostname
l Port number (default is 22)
l Root username
l Password
3. Click Directories and complete the following fields:
l In the Remote directory field, type cd/usr/local/search/logl In the Local directory field, type local directory
4. To save the session:
a. Click Save.
b. Click Login.
5. Drag the logs from the Remote Directory section of the window to the Local Directorysection of the window.
Copy log files (PuTTy)Use a secure FTP client, such as PuTTy (psftp) to copy log files from the Search nodes to aMicrosoft Windows computer.
Before you begin
Download and install PuTTy from winscp.net.
Procedure
1. Log in with the Search Root user credentials that are created during deployment.
2. Change to the log directory:
cd/usr/local/search/log
Access control
Dell EMC Search Security Configuration Guide 33
3. To download the log files, run the mget* command.
4. If required, unzip the log files.
Older versions of the logs are compressed based on size or date.
Managing logsAll log files are stored on disk 3, the separated disk. The logs are located in /usr/local/search/log. The logs are filed to a dedicated disk so they cannot fill the system disk.
The default log directory, /usr/local/search/log, is mapped to the /mnt/search/log.Follow the procedures in this section to learn how to manage the following log properties:
l Log file location
l Log level
l Log size
l Log count
Managing logs for API-based servicesTo troubleshoot and diagnose problems, you can manage the log files of the following services andcomponents:
l Admin API
l Search Admin API
l Common Indexing Service (CIS) Core
l CIS Scheduler
Log file location
The following table provides a summary of the log files available for the Admin/Search REST API.
Table 9 Admin/Search REST API log files
Module Configuration file Log file location Default loglevel
AdminAPI
/usr/local/search/etc/system.conf
{log_path}/search-adminapi-{host_name}.log
ERROR
{log_path}/search-adminapi-stdout-{host_name}.log
{log_path}/search-adminapi-stderr-{host_name}.log
SearchAPI
/usr/local/search/etc/system.conf
{log_path}/search-api-{host_name}.log
ERROR
{log_path}/search-api-stdout-{host_name}.log
Access control
34 Dell EMC Search Security Configuration Guide
Table 9 Admin/Search REST API log files (continued)
Module Configuration file Log file location Default loglevel
{log_path}/search-api-stderr-{host_name}.log
Manage the log levelThe system.conf file provides the ability to modify the log level for the Admin/Search RESTAPI.
About this task
To modify the log level, complete the following steps:
Procedure
1. Open the system.conf file with a text editor.
2. In the system.conf file, locate the following section:
"log": { "comments": "log.level VERBOSE = 0, INFO = 1, WARNING = 2, ERROR = 3", "admin_api": "/usr/local/search/log/search-adminapi-stevenzincdev.log", "search_api": "/usr/local/search/log/search-api-stevenzincdev.log", "level": 3 }
3. Change the log level by editing the level attribute:
Specify one of the following log levels:
l 0l 1l 2l 3
4. Restart the corresponding services.
Manage log size and log countThe logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain.
About this task
Note: Cronjob runs on schedule on a daily basis to rotate API log files.
The following table outlines the logrotate configuration files for the Admin/Search REST API,CIS core service, and CIS scheduler service.
Table 10 Configuration files
Service Configuration file
Admin API /etc/logrotate.d/search-adminapi.lr
Access control
Dell EMC Search Security Configuration Guide 35
Table 10 Configuration files (continued)
Service Configuration file
Search API /etc/logrotate.d/search-api.lr
CIS core service /etc/logrotate.d/search-cis-core.lr
CIS scheduler service /etc/logrotate.d/search-cis-schedule.lr
Procedure
1. Open the corresponding logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/search-adminapi*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress lastaction pid=/var/run/search/search-adminapi.pid test -s $pid && kill -USR1 "$(cat $pid)" endscript}
3. Change the log size and the number of log files to maintain, by editing the rotate andsize parameters.
where:
l rotate defines the number of archived log files that the Search software maintains. Thedefault value is 5.
l size defines the maximum size of the log file. The default value is 100M.
Managing logs for Worker and Action servicesTo troubleshoot and diagnose problems, you can manage the log files for the following servicesand components:
l Avamar Action service
l Avamar Worker service
l NetWorker Action service
l NetWorker Worker service
l Search Worker service
Log file location
The following table provides a summary of the log files available for the action services, workerservices, and system worker service.
Access control
36 Dell EMC Search Security Configuration Guide
Table 11 Worker Services log files
Module Configuration file Log file location
Search-Worker /usr/local/search/etc/log4j2-search-worker.xml
{log_path}/search-worker.log
Avamar-Worker /usr/local/search/etc/log4j2-search-avamar-worker.xml
{log_path}/search-avamar-worker-{host_name}.log
Networker-Worker /usr/local/search/etc/log4j2-search-networker-worker.xml
{log_path}/search-networker-worker-{host_name}.log
Avamar-Action-Service /usr/local/search/etc/log4j2-search-avamar-action.xml
{log_path}/search-avamar-action-{host_name}.log
Networker-Action-Service
/usr/local/search/etc/log4j2-search-networker-action.xml
{log_path}/search-networker-action-{host_name}.log
Manage the log levelThe log4j file provides the ability to modify the log level for the action services, worker services,and system worker service.
About this task
To modify the log level, complete the following steps:
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, perform the following tasks:
l To modify the log level for the Search Avamar Action service or the Search NetWorkerAction service, locate the following section:<Logger name="com.emc.zinc" level="error" additivity="false"> <AppenderRef ref="Routing"/> </Logger>
l To modify the log level for the Search Avamar Worker service, Search NetWorkerWorker service, or Search Worker service, locate the following section:<Root level="info"> <AppenderRef ref="Routing" /></Root>
3. Change the log level by editing the level attribute.
Specify one of the following log levels:
l tracel debugl infol warnl error
Access control
Dell EMC Search Security Configuration Guide 37
4. Restart the corresponding services.
Manage log size and log countThe log4j file manages the size of log files, and determines the number of archived log files tomaintain for the action services, worker services, and system worker service.
About this task
The following table lists the log4j configuration files.
Table 12 Configuration files
Service Configuration file
Avamar action service log4j2-search-avamar-action.xml
Avamar worker service log4j2-search-avamar-worker.xml
NetWorker action service log4j2-search-networker-action.xml
NetWorker worker service log4j2-search-networker-worker.xml
System worker service log4j2-search-worker.xml
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, locate the following section:
<Policies> <!-- <OnStartupTriggeringPolicy /> --> <!-- <TimeBasedTriggeringPolicy /> --> <SizeBasedTriggeringPolicy size="100 MB"/> </Policies> <DefaultRolloverStrategy max="5"/> </RollingFile>
3. Change the log size and the number of log files to maintain, by editing theSizeBasedTriggeringPolicy size and DefaultRolloverStrategy maxattributes.
where:
l SizeBasedTriggeringPolicy size defines the maximum size of the log file. Thedefault value is 100 MB.
l DefaultRolloverStrategy max defines the number of archived log files that theSearch software maintains. The default value is 5.
Managing logs for ElasticsearchTo troubleshoot and diagnose problems, you can manage the log files for the Elasticsearch service.
About the Elasticsearch logsThe Elasticsearch log files are located in /usr/local/search/log/elasticsearch. Thedefault logging level is ERROR.
Elasticsearch uses log4j to manage the log file level, size, and count. The configuration file forlog4j is located at /etc/elasticsearch/log4j2.properties.
Access control
38 Dell EMC Search Security Configuration Guide
Manage the log levelThe log4j file provides the ability to modify the log level for Elasticsearch.
About this task
To modify the log level, complete the following steps:
Procedure
1. Open the corresponding log4j configuration file.
2. In the log4j configuration file, locate the following section:
rootLogger.level = error
3. Change the log level by editing the rootLogger.level attribute.
Specify one of the following log levels:
l tracel debugl infol warnl error
4. Restart the corresponding services.
Manage log size and log countThe log4j utility manages the size of log files, and determines the number of archived log files tomaintain for the Elasticsearch service.
Procedure
1. Open the log4j configuration file.
2. In the log4j configuration file, locate the sections that correspond to the following logs:
l rollingl deprecation_rollingl index_search_slowlog_rollingl index_indexing_slowlog_rolling
To adjust the size and number of retained logs, locate and modify the following parametersfor the log you want to manage:
Table 13 Elasticsearch log parameters
Parameter name Description Default value
appender.rolling.policies.size.size The maximum allowed log sizebefore rotation. Specify the value inKB, MB, or GB.
100 MB
appender.deprecation_rolling.policies.size.size
appender.rolling.strategy.max The maximum number of rotated logfiles to retain.
5
appender.deprecation_rolling.strategy.max
Access control
Dell EMC Search Security Configuration Guide 39
Table 13 Elasticsearch log parameters (continued)
Parameter name Description Default value
appender.index_search_slowlog_rolling.policies.time.interval
The duration of the logging period,in days.
1
appender.index_indexing_slowlog_rolling.policies.time.interval
Managing logs for NginxTo troubleshoot and diagnose problems, you can manage the log files for Nginx.
Configuration file locationThe following table provides a summary of the configuration files available for Nginx. All theNginx configuration files are located in /etc/nginx.
Table 14 Nginx log files
Module Configuration file
Avamar action service nginx.avamar-action.conf
CIS nginx.cis.conf
Nginx nginx.conf
NetWorker action service nginx.networker-action.conf
Search service nginx.search.conf
Modifying the log level
The Nginx logging options are highly configurable. The Nginx documentation provides moreinformation.
Manage log size and log count
About this task
The logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain. The Nginx logrotate configuration file is located at /etc/logrotate.d/nginx.lr.
Procedure
1. Open the Nginx logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/nginx/nginx*.log { su root root rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok lastaction pid=/var/run/nginx.pid
Access control
40 Dell EMC Search Security Configuration Guide
test -s $pid && kill -USR1 "$(cat $pid)" endscript
3. Change the log size and the number of log files to maintain, by editing the rotate andsize parameters.
where:
l rotate defines the number of archived log files that Nginx maintains. The default valueis 5.
l size defines the maximum size of the log file. The default value is 100M.
Manage logs for the Puppet agentTo troubleshoot and diagnose problems, you can manage the log files for the Puppet agent.
Manage the log levelThe upgrade.conf file provides the ability to modify the log level for the Puppet agent.
About this task
The Puppet agent log files are located in /etc/puppet/log/puppet_agent.log. The defaultlogging level is WARN.
The configuration file for the Puppet agent log is located at /etc/puppet/upgrade.conf.
Procedure
1. Open the corresponding configuration file.
2. In the upgrade.conf configuration file, locate the following section:
loglevel="WARN"
3. Change the log level by editing the loglevel attribute.
Specify one of the following log levels:
l DEBUGl INFOl WARNl ERROR
4. Restart the corresponding services.
Manage log size and log count
About this task
The logrotate utility manages the size of log files, and determines the number of archived logfiles to maintain. The Puppet agent logrotate configuration file is located at /etc/logrotate.d/puppet.lr.
Procedure
1. Open the Puppet agent logrotate configuration file.
2. In the logrotate configuration file, locate the following section:
/usr/local/search/log/puppet/puppet_*.log { su root root
Access control
Dell EMC Search Security Configuration Guide 41
rotate 5 size 100M missingok nodateext notifempty compress delaycompress missingok}
3. Change the log size and the number of log files to maintain, by editing the rotate andsize parameters.
where:
l rotate defines the number of archived log files that Nginx maintains. The default valueis 5.
l size defines the maximum size of the log file. The default value is 100M.
Access control
42 Dell EMC Search Security Configuration Guide