In my previous blog, I covered several high-availability deployment alternatives with NetApp® OnCommand® Unified Manager 7.2. We made things simpler by having one server do the work of two. But what about security best practices and compliance with your corporate security practices? In today’s blog, I answer this question and review how we’ve designed Unified Manager to support different security needs.
Unified Manager is offered in three installation choices: a virtual machine (OVA format) for VMware, Red Hat Enterprise Linux (RHEL), and Microsoft Windows. When building these installation packages, our engineers based several the design choices on customer feedback over the last two years. The VM distribution is like a smartphone app—designed to get you going quickly and to get the job done, but with limited configurability and no customer access to the underlying OS. The RHEL and Windows distributions are designed to accommodate specific customer needs for the server’s OS.
So, what are the differences, and how would you choose which deployment option to use? Some organizations have standards and allow only certain OS choices, which makes things simple. But when all three options can be considered, what are the key decision points?
- With the VM distribution, the underlying OS is locked down behind a network firewall. There is no user access to the file system or OS components. Updates to the software must be applied through a patch downloaded from the NetApp Support site. Scale might be limited by VMware’s CPU and RAM allocation capability. The VM distribution is a great choice for customers that have less need for independent verification and control of software components. Deployments are up and running in a matter of minutes.
- With the RHEL distribution, customers retain control of the OS. Any required agents (such as backup and auditing) can be installed, and customers can choose the patch levels for third-party software packages used by Unified Manager, such as Java or MySQL. Customers can also freely patch the server on their schedule. Additional security hardening (such as restricting use of sudo command) is possible if it doesn’t interfere with required network connections. The RHEL distribution is a great option for customers that have specific corporate security requirements.
- With the Windows distribution, customers also fully control the Windows OS server. Customers can patch the server and choose to change the versions of third-party components—but it’s not as simple as on Linux.
What about performance? Our internal test and results from early customer use do not show significant performance differences among the three software distributions. All three provide options for high availability.
Figure 1) A simplified OS decision flowchart.
Some customers require the ability to install on alternate hypervisors. The best choice for these customers is to set up an RHEL VM on the hypervisor of choice and deploy the RHEL version of Unified Manager. Customers in a Windows Hyper-V environment can choose to deploy the Windows version.
When deploying Unified Manager on RHEL in a location that doesn’t have external network connectivity, customers must retrieve any third-party components missing from their standard Linux server build as well as the Unified Manager installer files. Some builds of NetApp FAS systems include a copy of the Unified Manager installer on the root volume of the cluster, which simplifies the process of downloading the installer.
As web protocols evolve, older protocols become inherently insecure. According to best practices, we do not support these older protocols. For example, in this Unified Manager release, we have disabled support for Transport Layer Security (TLS) 1.0 and are guiding customers to use only TLS 1.2 in their environments.
In my next and final blog, I will explore approaches for high availability and deployment alternatives. In the meantime, explore the OnCommand Unified Manager resource page on the NetApp Support site.