Supportability for Security Measures applied to Active IQ Unified Manager for Clustered Data ONTAP
Summary
What is the supportability of Security Measures applied to Active IQ Unified Manager?
Issue Description
Be advised: Oncommand Unified Manager has been rebranded to Active IQ Unified Manager as of the 9.6RC1 (and later) releases. For the purposes of this document, Unified Manager will be referred to as ActiveIQ Unified Manager.
- NetApp does not offer support for any modification of the Unified Manager application code.
- Any security measures that need to be applied to the Unified Manager server must be applied to the Operating System that Unified Manager is installed on. The exception being the OVA (Virtual Machine) instance of Unified Manager. Modifications to the Unified Manager OVA File system is not supported by NetApp, unless the changes are being guided directly by a NetApp Technical resource*.
- In the Information Technology (IT) Industry, there are a large number of security measure configuration variables that may be applied to a Binary Operating System (Windows or RHEL/CentOS based operating System); too many Security configuration variables for NetApp to test and qualify pro-actively.
- When the ‘Unified Manager (Binary Installation*)’ application is Qualified for release via QA testing, the Unified Manager application is qualified with the Unified Manager application being installed on unmodified Operating Systems.
- No “Security Hardening” procedures that restrict the normal functionality of the original operating system, file directories, or user functions are tested for normal operation of the Unified Manager application.
Security Hardening measures are defined the following actions being taken on the Host Operating System:
- Limiting system directory functions or priveleges.
- Limiting User Roles.
- Example: Removing or modifying Sudo priveleges for the "Maintenance user" or "JBOSS users" within a Red Hat Enterprise Linux or CentOS binary installation.
- Antivirus Scanners
- Exclusions must be set within the Anti-Virus application to exclude the installation directory of the Unified Manager application
- Access Control tools
- 3rd party applications that can be configured to limit access to Operating System functionality.
As the Unified Manager application is QA tested without any Security measures applied to Operating System, NetApp can only directly support Unified Manager binary installations that do not have “Security Hardening” measures applied to Host Operating System configurations.
Footnotes
*Binary Installation: is reference to Operating Systems: Windows, RHEL, or CentOS. Unified Manager is offered as either a Binary installation, or an OVA appliance (Virtual Machine).
*NetApp Technical Resource: In this document “NetApp Technical resource” is a reference to a human resource such as: NetApp SE, NetApp Field Service personnel, Professional Services personnel, or NetApp Technical Support that is following instructions provided by NetApp Engineering Teams via EPS, BUG, PVR or FPVR.
Following steps in a KB article, or Technical Report (TR) does not qualify as direct guidance from a NetApp Technical resource.
NetApp Best practice is to take a Cold VMSnapshot of the Unified Manager Server before executing any steps outlined within a NetApp KB Article, so that the Unified Manager server may be rolled back to a “Known Good” operational status, in the event of an issue while executing the steps outlined in a KB Article.