Platform locking

You can use the ECS Portal to lock remote access to nodes.

ECS can be accessed through the ECS Portal or the ECS Management REST API by management users assigned administration roles. ECS can also be accessed at the node level by a privileged default node user named admin that is created during the initial ECS install. This default node user can perform service procedures on the nodes and have access:

  • By directly connecting to a node through the management switch with a service laptop and using SSH or the CLI to directly access the node's operating system.
  • By remotely connecting to a node over the network using SSH or the CLI to directly access the node's operating system.

For more information about the default admin node-level user, see the ECS Security Configuration Guide, available from the ECS Product Documentation page.

Node locking provides a layer of security against remote node access. Without node locking, the admin node-level user can remotely access nodes at any time to collect data, configure hardware, and run Linux commands. If all the nodes in a cluster are locked, then remote access can be planned and scheduled for a defined window to minimize the opportunity for unauthorized activity.

You can lock selected nodes in a cluster or all the nodes in the cluster by using the ECS Portal or the ECS Management REST API. Locking affects only the ability to remotely access (SSH to) the locked nodes. Locking does not change the way the ECS Portal and the ECS Management REST APIs access nodes, and it does not affect the ability to directly connect to a node through the management switch.

For node maintenance using remote access, you can unlock a single node to allow remote access to the entire cluster by using SSH as the admin user. After the admin user successfully logs in to the unlocked node using SSH, the admin user can SSH from that node to any other node in the cluster through the private network.

You can unlock nodes to remotely use commands that provide OS-level read-only diagnostics.

Node lock and unlock events appear in audit logs and Syslog. Failed attempts to lock or unlock nodes also appear in the logs.