AFF, NVMe, EF-Series, and SolidFire Discussions

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

AFF, NVMe, EF-Series, and SolidFire Discussions

Start a New Post

HCI account password policy

chinchillaking
‎2021-01-28 12:22 AM

Hi All,

 

Due to security, may we know below account password policy? Refer root account, could change?

 

console root account

cluster admin account

IPMI ADMIN account

 

BTW, could change policy, e.g. complexity, length, history and lockout ..............?

 

 

Best regards,

 

Chung

0 Kudos
3 Replies
Reply
3 REPLIES 3

Re: HCI account password policy

elementx
NetApp
‎2021-01-28 07:54 AM

console root account - I don't know if it's available to anyone in field. SSH service on storage cluster (reverse SSH tunnel to NetApp) can be enabled for NetApp Support, but generally SSH isn't available for remote access anyway.

 

cluster admin account - there's no lockout, but you can make the password very complex (e.g. 20 characters), and also you can eliminate the use of local cluster admin:

a) create a AD group, connect cluster to AD, add an admin group account as cluster admin, and then set vCenter plugin and other accounts to use that AD account.

b) block network access to cluster Management IP and VIP (normally it's blocked by default if you keep cluster management network on separate VLAN where only mNode and vCenter have access to, but if the case you have not implemented networking that way, then you could limit access to the IPs mNode, vCenter and perhaps 1-2 other hosts

 

IPMI ADMIN account - you can check in the IPMI UI (create a test account and try?), I don't remember this detail now (and there may be slight differences between different hardware models, e.g. H600 vs. H300 vs. H410, and IPMI f/w versions). As far as I know (I may be wrong), the only time IPMI admin account is used is when mNode/HCC upgrades BIOS and firmware, so if you don't have it on a secure network, you could probably enable this on demand (for f/w upgrades with HCC) and keep it disabled at other times.

0 Kudos
3 Replies
Reply

Re: HCI account password policy

chinchillaking
‎2021-01-28 10:35 PM

Hi Elementx,

 

The root account, it was "Textual User Interface (TUI)", could it change with complexity?

 

 

Best regards,

 

Chung

0 Kudos
3 Replies
Reply

Re: HCI account password policy

elementx
NetApp
‎2021-01-28 11:04 PM

Hi

 

- In mNode TUI, you can set "admin" account for mNode. Of course, later you can login to shell and as sudoer change the root password for mNode. You can disable SSH service on this node using standard Linux commands.

 

- But in storage node you can only set local cluster admin account. Bootstrap OS (before SolidFire cluster is formed, also used to update firmware) boots from the first disk (Disk 0) and has its own root password (I don't know what it is), but once cluster is configured, you boot nodes to Disk 1 where SolidFire (Element OS) is installed and like with Bootstrap OS we don't have root access (or any shell access) to that OS. You can get to TUI (not a shell) with cluster admin password, but that's all. If/when remote support is required, you can enable Reverse SSH (whereby Cluster Manager or individual storage Node connects to NetApp Support who can perform reverse access and log with SSH). If you don't ever want to enable reverse SSH that's fine as well, then you'd use desktop screen sharing app and let NetApp support use your SSH client to login to nodes for troubleshooting.

In field we don't have root passwords for storage OS and there's no remote access to it, unless you enable it (reverse SSH tunnel only).

View solution in original post

0 Kudos
3 Replies
Reply
Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Learn about the Community Get Started
Still have Questions Start a Discussion
Rules of the Community Read More
© 2021 NetApp
Let us know
Public