Setting up SSL encryption using Device Manager - Storage Navigator

System Administrator Guide for VSP E990 and VSP G130, G/F350, G/F370, G/F700, G/F900

Part Number

To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.

The SSL communication can be established between the management client and the SVP using the following supported protocols and the port numbers:

Protocol Port Number
RMI 11099
RMI 51100
SMI-S 5989
HTTPS (raidinf) 5443

The SSL communication can be established between the following servers and the SVP:

  • Key management server
  • Authentication server
  • Authorization server
  • Hitachi Command Suite server
Note: To enable SSL, the private and public key pair and SVP server certificate must be valid. If either the keys or the certificate is expired, the user cannot connect to the SVP.
Note: The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
  • subjectAltName
Note: To add the Secure attribute to cookies using Device Manager - Storage Navigator, you must block HTTP communication. For details, see Blocking HTTP communication to the management client.
Note: Device Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the security certificate issued by a trusted root certificate authority for your Device Manager - Storage Navigator domain. HSTS is valid for one year (31,536,000 seconds), and it is renewed automatically every time the HSTS header is sent to the browser. The security certificate to use is determined by the browser. For details, contact your browser vendor.
Note: If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.