To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.
The SSL communication can be established between the management client and the SVP using the following supported protocols and the port numbers:
Protocol | Port Number |
---|---|
HTTPS | 443 |
RMI | 11099 |
RMI | 51100 |
SMI-S | 5989 |
HTTPS (raidinf) | 5443 |
The SSL communication can be established between the following servers and the SVP:
- Key management server
- Authentication server
- Authorization server
- Hitachi Command Suite server
Note: To enable SSL, the private and
public key pair and SVP server certificate must be valid. If either the keys or the
certificate is expired, the user cannot connect to the SVP.
Note: The extended profile fields in the X.509
certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
- subjectAltName
Note: To add the Secure attribute to
cookies using Device Manager - Storage Navigator, you must block HTTP
communication. For details, see Blocking HTTP communication to the SVP.
Note: Device Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with
a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the
security certificate issued by a trusted root certificate authority for your
Device Manager - Storage Navigator domain. HSTS is valid for one year
(31,536,000 seconds), and it is renewed automatically every time the HSTS header is
sent to the browser. The security certificate to use is determined by the browser.
For details, contact your browser vendor.
Note: If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security
certificate specific to each application. If you use the same domain, the HSTS
settings are applied to all Web applications that use the domain, and all
connections are switched to https. If you have an application that can be accessed
only through http, you cannot establish the connection.