DCO Security

Data Center Operation is a client/server configuration. The client runs on standard PC. See System requirements in the DCO user guide.   Default user account for client   When setting up a server, a default apc user account is created for logging on to the client. The default credentials should be changed. See Managing DCO users and user rights in the DCO user guide. Firewall    It is recommended that the firewall is enabled. The firewall will reduce the number of open ports to the required minimum. It will also protect internal services, such as the database, against external attacks. The firewall will allow all outgoing traffic and incoming traffic according Network firewall port details in the DCO user guide.   Software vulnerability, scans and certifications Schneider Electric Vulnerability Handling & Coordinated Disclosure Policy V3.0    End-of-version for Data Center Operation version 8.3.x, its modules, and all prior versions was January 1, 2022. More...   New vulnerability patches for DCO 8.3.x will not be provided.  Upgrade to IT Advisor to use all the new features and get security updates, free for all customers with active support contracts.   The Schneider Electric Cybersecurity Portal is the single source for up-to-date information about cybersecurity vulnerabilities and incidents for installed solutions.   Antivirus   Data Center Operation does not include antivirus in the installation. From a functionality point of view, it is fine to install an antivirus program on the server. We do have experience that antivirus will affect client performance and that performance loss depending on configuration can potential lead to errors.   Logging   The DCO product has several log files capturing kernel, cron job, etc. based on standard Linux capabilities. Furthermore, DCO logs all user account changes, logins and logouts to the Audit Trail log (available with change module license). The logs do not contain confidential information but might include some of the data entered when building the model.   Server log files are stored on the server and are accessible to system administrators via the server configuration interface, Webmin (DCO>Download Log Files).   Client log files are stored in the user folder, e.g. Windows 7: C:\Users\[Username]\.isxo\[Version]\Operations\application.log or Mac: ~/.isxo.   Asset Management Records: Asset additions, changes, moves, and removals are tracked and can be found in Audit Trail report in the Reports section.    User Account Records: User additions, changes, and removals can be configured in User Rights and Authentication. These are tracked and can be found in the Audit Trail report in the Analytics->Reports section.   Database architecture   Currently the database and server make up one unit and cannot be separated. The database and operating system are running on the same partition on the server by default. The database technology is postgreSQL and cannot be exchanged with any other database type or technology. The database is protected using RSA 2048 bits certificate password encryption.     ETL is open to other database types and technologies. You can find more information about ETL here.  

These instructions apply to the OS user on the DCO server, that is, the user used during the DCO server installation process, and not the DCO user on the desktop and web clients. To reset the user password on the DCO server: 1. Insert the DCO installation media (USB key, DVD, or out-of-band management (OOM) interface) and reboot the server and ensure the DCO installation media is booted up. 2. In the installation boot menu select Troubleshooting and then select Rescue a CentOS system. 3. In rescue mode you are presented with 4 options. Type 1 for 1) Continue and press <return>. 4. When you see Rescue Mount, press <return> and type chroot /mnt/sysimage . 5. To change the password type  passwd <username>  where  <username>  is the name of the user created during setup. 6. Type the new password. Username is not allowed to be part of the password. 7. To exit chroot type: exit . 8. Reboot the server by typing reboot . 9. Remember to remove the DCO installation media. 106205195_1152x250_360012049097.gif

Network protocol and ports (incoming ports allowed by the firewall) The firewall provides basic protection. If protection against sophisticated attacks is required, using a dedicated firewall product is recommended. Communication across a NAT firewall is not supported. The following protocols and ports are used by Data Center Operation: Protocol Transfer protocol Port(s) Network Credentials/Access Encryption Comments HTTP / HTTPS TCP 80 / 443 Latency less than 200 ms, bandwidth minimum 1 Mbps. Bandwidth usage between client and server heavily depends on size of solution, number of users and the type of operations done to the solution. Manually created user and password (default apc/apc) Authentication server integration support There is no option to reset client user password Password policy is not implemented in DCO but can be enforced using Authentication servers. Password can be ASCII format and numbers Only using HTTPS TLSv1.2 Communication between server and clients. HTTP can be disabled or redirected to HTTPS for improved security. SNMP UDP 161 Basic system information and status of the Operation service will be exposed. More information can be found here The SNMP server can be disabled using the Server Configuration interface SNMP community string is default "public" For added security from v7.3.6, disable SNMPv1 and configure SNMPv3. More...   PostgreSQL TCP 5432 Depending on system integration the bandwidth requirements should be specified accordingly. As specified in external system ETL configuration Default MD5 authentication Otherwise depending on database integration created ETL communication between database and server Webmin TCP 10000 Very limited bandwidth requirements in normal operation. Downloading/uploading backups will increase the bandwidth requirements significantly. Manually created user and password during installation User password reset instructions Yes Server configuration interface at https://<server ip>:10000 Ping ICMP   Will reply to ping requests       External systems related protocols (outgoing, default (can be edited)) HTTP TCP (SSL/TLS) 80 (443) Depending on system integration being used. For Data Center Expert it is estimated that every alarm will be around 2000 characters in size. Sensor data has approximately the same size but is transferred more often (depending on the integration configuration). The alarm and sensor data are bidirectional communicated with the majority of data going to DCO. A catch-up job is run on a hourly basis (configurable) this job will poll number of active alarms * 2000 chars. As specified in external system configuration Depending on system integration VMware, SCOM, Cisco UCS SMTP TCP 25 Email traffic from the DCO is limited and "user generated" via e.g. work order execution, some system configuration etc. As specified in external system configuration Not supported communication with e-mail server DNS TCP/UDP 53 Very limited traffic and bandwidth requirement As specified in external system configuration Not supported DNS server communication NFS TCP/UDP 111 Depending on system integration As specified in external system configuration Not supported by protocol NFS mounted external drive NTP UDP 123 Very limited traffic and bandwidth requirement As specified in external system configuration Depending on system integration NTP server communication SMB TCP/UDP 139 Depending on system integration As specified in external system configuration Depending on system integration SMB communication to NAS/SAN CIFS TCP 445 Depending on system integration As specified in external system configuration Depending on system integration CIFS communication to NAS/SAN NFS TCP/UDP 2049 Depending on system integration As specified in external system configuration Not supported by protocol NFS communication to NAS/SAN

  The DCO server is installed with self-signed security certificate. When connecting to the server from a web browser, you may receive warnings about the security certificate. It is recommended, after the installation of DCO is complete, to purchase and install a security certificate issued by a trusted certificate authority.  To change the certificate on the DCO server, your SSL certificate be an Apache 2.x/PEM format certificate consisting of two files: *.key and *.crt. See How to manually create a certificate signing request (CSR) from an ITA/DCO server It is best practice to disable access to the web clients before starting to update any certificates to ensure no client is connected with a false certificate. If your setup includes a disaster recovery node and you need a certificate on it, upload certificates to the DR server in the same way as for a standalone server. Preparing a certificate for upload Password A password protected key is not supported. Strip the password from the key before uploading it.  Intermediate or certificate bundle If your certificate chain requires an intermediate certificate, append it to the .cert file. When appending, ensure you include everything, including the lines: " -----BEGIN CERTIFICATE----- " & " -----END CERTIFICATE----- " as there may be several lines for this intermediate certificate. No users in the system during upload The Apache HTTPD server will be reloaded during this process, so ensure no users are using the system during the upload. Uploading a certificate Open the Webmin web interface by selecting Administration>Webmin in the Data Center Operation web client. Alternatively, type the address of your Data Center Operation server in a Web browser followed by :10000,  https://<DCO server IP>:10000  .   Log into Webmin using the user credentials created during the installation and in the left menu, select StruxureWare DC Operation. In the submenu, select Certificates. Follow the instructions on the page. Verify everything is working correctly by launching a web client and checking there's a green padlock icon in the address line. 106207189_1255x250_360036928393.png