V11 SP8
Loading...

Advanced Configuration - Security

Table of Contents

Securing Access to the Search Engine and Content Indexing Data

To secure the Search Engine data and content indexing previews from unauthorized access, configure each Search Engine node to only allow communication with the necessary components in your CommCell environment.

There are two steps to securing access to the Search Engine and Content Indexing Data:

  1. Configure the firewall on each Search Engine node to only allow network communication between the server and necessary CommCell components. See Configuring the Windows Firewall on Search Engine Nodes.
  2. Deny unauthorized access to the Search Engine index and content indexing previews. See Applying Security Configurations to the Search Engine Software.

Configuring the Windows Firewall on Search Engine Nodes

Use the Windows Firewall feature to prevent unauthorized network communication with the Search Engine node.

Before You Begin

You will need to obtain the following information before you can accomplish this procedure:

Search Engine Node Port Numbers

This procedure requires configuring rules in the Windows Firewall settings to deny unauthorized access to the port number used by the Search Engine node. Therefore, you must have the port numbers used by each Search Engine node in your CommCell Environment. You can locate this information from the CommCell Console:

  1. Open the CommCell Console.
  2. In the CommCell Browser, click to expand Storage Resource > Search Engines, and then click a Search Engine cloud.
  3. In the Search Engine Cloud tab, right-click the name of the Search Engine node, and then click Properties.

    In the Search Engine Node Properties dialog box under the General tab, the Search Engine port number is listed as Base Port.

IP Addresses of Search Engine Components

In order to allow network communication between the Search Engine node and the CommCell components required to facilitate content indexing and search operations, you must have the full computer name of each of the following components in your CommCell:

  • CommServe host
  • Other nodes in the same Search Engine cloud
  • Web Servers
  • MediaAgents

Procedure

Perform the following procedure for each Search Engine node in your CommCell environment.

  1. Log in to the Search Engine node.
  2. Open Windows Firewall with Advanced Security. See Microsoft's documentation for your version of Microsoft Windows.
  3. Create a new Inbound Rule with the following configurations:
    Step Required Configuration
    Rule Type Select Port.
    Protocol and Paths Applicable protocol Select TCP.
    Specify Local Port Search Engine base port. To locate the base port for a Search Engine node, see Search Engine Node Port Numbers.
    Action Select Allow the connection if it is secure.
    Computers Authorized computers Add the full computer name of each computer in your CommCell environment that is required for content indexing and search operations:
    • Other Search Engine nodes in the same cloud
    • Web Servers
    • Compliance Search servers
    • MediaAgents
  4. Turn on Windows Firewall on the Search Engine node.
  5. Repeat this procedure for all other Search Engine nodes in your CommCell environment.

Applying Security Configurations to the Search Engine Software

In addition to configuring the firewall settings on each Search Engine node (see Configuring the Windows Firewall on Search Engine Nodes), the Search Engine software on each Search Engine node must also be secured to prevent unauthorized access to your content indexing data.

Search Engine Automatically Configures Secure Access

The software automatically denies access to the data in the Search Engine from any unauthorized access. If you install or remove components that need to communicate with the Search Engine, such as a Web Server or MediaAgent, the software will also handle the security changes automatically.

Permitting Access to the Search Engine from a Different Client

If you need to access the Search Engine from a client that is not one of the authorized components (Search Engine, CommServe, MediaAgents, or Web Servers), then you must create the sAllowIPCvAccessControl registry key on all of your Search Engine nodes with the IP address of the client you want to use to access the Search Engine.

Perform the following procedure for each Search Engine node in your CommCell environment.

  1. Log in to the Search Engine node.
  2. Open the Registry Editor:
    1. From the Start Menu, type Run.
    2. In the Run dialog box, type regedit and click OK.
    3. If prompted, click Yes at the User Account Control prompt.
  3. Navigate to the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\CommVaultSystems\Galaxy\InstanceNumber\Machines\MachineName\SearchServer

    Where InstanceNumber is the instance number of the Search Engine installation and MachineName is the name of the Search Engine node.

  4. Right-click the SearchServer key, point to New, and then click String Value.
  5. For the new REG_SZ value name, enter sAllowIPCvAccessControl.
  6. Double-click the sAllowIPCvAccessControl value and in the Value data box, enter the IP address of the machine that you want to allow to access the Search Engine. You may enter multiple IP addresses, separated by a comma.
  7. Click OK.
  8. Restart services on the Search Engine node. See Restarting a Service.
  9. Repeat this procedure for all other Search Engine nodes in your CommCell environment.

Configuring Secured Access for Compliance Search

If you want to enable secured access on Compliance Search using HTTPS instead of HTTP, see Configuring Secured Access.

Disable Sharing in Compliance Search

By default, compliance officers can share Review Sets and other entities with permitted users and user groups from the Compliance Search page. You can use a qcommand operation to control this sharing capability from the Compliance Search Page for all users. This disabling sharing ensures that information cannot be shared between users or user groups.

  1. Log in to the Web Server machine.
  2. Open the Command Prompt window:
    1. Click Start.
    2. Type cmd, and then press Enter.
  3. At the command prompt, navigate to the <software installation path>\Base folder.
  4. Type qlogin, and then press Enter.
  5. Enter the login credentials of an administrator:
    1. Type the administrator user name, and then press Enter.
    2. Type the administrator password, and then press Enter.

      The password will not display in the command prompt window.

  6. Proceed as follows:
    To... Then...
    Disable Sharing
    1. Run the following qscript:

      qoperation execscript -dbn DM2 -c WebServerClientName -sn UpdateSettingValue -si 'DISABLE_SHARING' -si 'True'

      where <WebServerClientName> is the name of the Web Server client as it appears in the CommCell console.

    2. Press Enter.

      After a few moments, the message Qscript Execution Succeeded! appears, indicating that sharing has been disabled in Compliance Search.

    3. Proceed with step 7.
    Enable Sharing
    1. Run the following qscript:

      qoperation execscript -dbn DM2 -c WebServerClientName -sn UpdateSettingValue -si 'DISABLE_SHARING' -si 'False'

      where <WebServerClientName> is the name of the Web Server client as it appears in the CommCell console.

    2. Press Enter.

      After a few moments, the message Qscript Execution Succeeded! appears, indicating that sharing has been enabled in Compliance Search.

    3. Proceed with step 7.
  7. Restart Internet Information Services (IIS):
    1. At the command prompt, type iisreset.
    2. Press Enter.
  8. Close the Command Prompt window.
  9. Restart Tomcat Services:
    1. Click Start.
    2. Type view local services, and then press Enter.

      The Services window appears.

    3. In the list of Services (Local), right-click CommVault Tomcat Service (Instance001), and then select Restart.
  10. Log in to the Compliance Search page to verify that sharing is disabled.

Hide Domains in Compliance Search

By default, compliance officers can view data from all available domains from the Compliance Search page. You can use a qcommand operation to hide certain domains from view. Domains added to the hide list are not visible from the Compliance Search page.

  1. Log in to the Web Server machine.
  2. Open the Command Prompt window:
    1. Click Start.
    2. Type cmd, and then press Enter.
  3. At the command prompt, navigate to the <software installation path>\Base folder.
  4. Type qlogin, and then press Enter.
  5. Enter the login credentials of an administrator:
    1. Type the administrator user name, and then press Enter.
    2. Type the administrator password, and then press Enter.

      The password will not display in the command prompt window.

  6. Proceed as follows:
    To... Then...
    Hide a domain
    1. Run the following qscript:

      qoperation execscript -dbn DM2 -c WebServerClientName -sn UpdateSettingValue -si 'HIDE_COMPLIANCE_DOMAIN_LIST' -si 'domain1,domain2,...'

      where <WebServerClientName> is the name of the Web Server client as it appears in the CommCell console and <domain1>, <domain2> are the domain names you want to hide (comma-separated).

    2. Press Enter.

      After a few moments, the message Qscript Execution Succeeded! appears, indicating that the domains are hidden from Compliance Search.

    3. Proceed with step 7.
    Show a domain
    1. Run the following qscript:

      qoperation execscript -dbn DM2 -c WebServerClientName -sn UpdateSettingValue -si 'SHOW_COMPLIANCE_DOMAIN_LIST' -si 'domain1,domain2,...'

      where <WebServerClientName> is the name of the Web Server client as it appears in the CommCell console and <domain1>, <domain2> are the domain names you want to show (comma-separated).

    2. Press Enter.

      After a few moments, the message Qscript Execution Succeeded! appears, indicating that the domains are shown in Compliance Search.

    3. Proceed with step 7.
    Reset the hidden or shown domain lists
    1. Run the following qscript:

      qoperation execscript -dbn DM2 -c WebServerClientName -sn UpdateSettingValue -si '{SHOW_COMPLIANCE_DOMAIN_LIST|HIDE_COMPLIANCE_DOMAIN_LIST}' -si ''

      where <WebServerClientName> is the name of the Web Server client as it appears in the CommCell console.

    2. Press Enter.

      After a few moments, the message Qscript Execution Succeeded! appears, indicating that the list has been reset.

    3. Proceed with step 7.

    If a domain is added to both the SHOW_COMPLIANCE_DOMAIN_LIST and HIDE_COMPLIANCE_DOMAIN_LIST, the HIDE_COMPLIANCE_DOMAIN_LIST setting takes precedence and the domain will not be visible in Compliance Search.

  7. Restart Internet Information Services (IIS):
    1. At the command prompt, type iisreset.
    2. Press Enter.
  8. Close the Command Prompt window.
  9. Log into the computer where Compliance Search is installed and Stop Tomcat services:
    1. Click Start.
    2. Type view local services, and then press Enter.

      The Services window appears.

    3. In the list of Services (Local), right-click CommVault Tomcat Service (Instance001), and then select Stop.
  10. Delete the <installation directory>\Apache\work folder.
  11. Start Tomcat services:
    1. Open the Services window.
    2. In the list of Services (Local), right-click CommVault Tomcat Service (Instance001), and then select Start.
  12. Log in to the Compliance Search page to verify your changes.