ECS: How to lock or unlock remote access to nodes


   Article Number:     503182                                   Article Version: 2     Article Type:    How To 




ECS Appliance,Elastic Cloud Storage





    This article is an extract from the "ECS 3.0 Administrator's Guide" what can be downloaded here:'s_Guide.pdf?language=en_US​   
    Lock and unlock nodes​   

      Use the portal to lock and unlock remote SSH access to ECS nodes.     
      Before you begin     
      This task can only be done by the Lock Admin (login: emcsecurity).     
      Locking a node only prevents remote access to the operating system of the node by     
      SSH or the CLI. Locking or unlocking a node has no affect on ECS Portal or REST     
      Management API functions or on directly connecting to a node locally and then using     
      SSH or the CLI.     
      1. Login in as emcsecurity.     
      If this is the first log in from this account, you will be required to change the     
      password and re-login.     
      2. From the left-hand navigation, select Settings > Platform Locking.     
      The screen lists the nodes in the cluster and displays their lock status.   
      ​User-added image   
      The node states are:   
  •         Unlocked: Displays an open green lock icon and the Lock action button.     
  •         Locked: Displays a closed red lock icon and the Unlock action button.     
  •         Offline: Displays the circle-with-slash icon and no action button because the       
             node is unreachable and the lock state cannot be determined.     
      3. Choose:                                                                                                                                                                                       
              Option                          Description           
LockTo lock an unlocked node. Any user who is currently remotely             
                 logged in by SSH or CLI will have about five minutes to exit             
                 before their session will be terminated. An impending shutdown             
                 message appears on the user's terminal screen.
UnlockTo unlock a locked node. A privileged user will now be able to             
                 remotely login to the node by SSH or the CLI after a few minutes.
Lock the             
This convenience feature locks all unlocked nodes in the VDC as             
                 long as they are online. It does not set a state where any new or             
                 offline node will be automatically locked once detected.







        Locking remote access to nodes     
        Use the ECS Portal to lock remote access to nodes.       
        Access types       
        ECS can be configured in the following ways:     
                Using the ECS Portal or the ECS Management API.         
                By directly connecting to a node through the management switch with a service           
                 laptop and using SSH or the CLI to directly access the node's operating system.         
                By remotely connecting to a node over the network using SSH or the CLI to           
                 directly access the node's operating system.         
        Node locking provides another layer of security against remote node access from all       
        accounts. Without node locking, any privileged node-level account, such as the       
        admin, service , or emc accounts, can remotely access nodes at any time to collect       
        data, configure hardware, and run Linux commands. If all the nodes in a cluster are       
        locked, then remote access can be planned and scheduled for a defined window       
        minimizing the opportunity for unauthorized activity.       
        Using the ECS Portal or the ECS Management API, you can lock selected nodes in a       
        cluster or all the nodes in the cluster. Doing so only affects the ability to remotely       
        access (SSH to) the locked nodes. Locking does not change the way the ECS Portal       
        and ECS Management APIs access nodes and it does not affect the ability to directly       
        connect to a node.     
        Lock Admin       
        To lock and unlock nodes requires the Lock Admin user. The Lock Admin is a preprovisioned       
        local user called emcsecurity. Lock Admins can only change their       
        passwords and lock and unlock nodes. The Lock Admin role cannot be assigned to       
        another user.       
        System Admins and System Monitors can view the lock status of the nodes.       
        If node maintenance using remote access is periodically required, you can unlock a       
        single node to allow remote access to the entire cluster using SSH with the admin or       
        emc account. Once the authorized user successfully logs into the unlocked node using       
        SSH, the user can SSH from that node to any other node in the cluster by way of the       
        private network.       
        You will also need to unlock a node to remotely use commands that provide OS-level       
        read-only diagnostics.       
        Node lock and unlock events are captured in audit logs and also sent to Syslog. Errors       
        from lock or unlock attempts are also logged.     
        ECS Management API     
        The following APIs allow you to manage node locks.                                                                                                                                                                                                                                                                                                         
                Resource                              Description             
GET /vdc/nodesGets the data nodes that are currently               
                   configured in the cluster
GET /vdc/lockdownGets the locked/unlocked status of a VDC
PUT /vdc/lockdownSets the locked/unlocked status of a VDC
PUT /vdc/nodes/{nodeName}/lockdownSets the Lock/unlock status of a node
GET /vdc/nodes/{nodeName}/lockdownGets the Lock/unlock status of a node