To improve security of remote operations
from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure
Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.
SSL communication can be established between the management client and the SVP using the protocols and port numbers specified in the following table.
Protocol |
Port Number |
HTTPS |
443 |
RMI |
1099
|
RMI |
51100-51355
When a storage system is registered, an unused port number in this range is automatically allocated, and a firewall is set. The allocated port number is used when the storage system starts.
|
SMI-S |
5989-6244
When a storage system is registered, an unused port number in this range is automatically allocated, and a firewall is set. The allocated port number is used when the storage system starts.
|
SSL communication can be established between the following servers and the SVP:
- Key management server
- External authentication or authorization server
- Hitachi Ops Center server
- Hitachi Command Suite server
Note: To enable SSL, the private and
public key pair and SVP server certificate must be valid. If either the keys or the
certificate is expired, the user cannot connect to the SVP.
Note: The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
- BasicConstraints
- KeyUsage
- SubjectKeyIdentifier
In addition, if you use a key management server (KMS) and an external authentication or authorization server for
VSP E series with DKCMAIN firmware version 93-06-22 or later, the following extensions are also supported:
- Authority Key Identifier
- Certificate Policies
- Subject Alternative Name
- Name Constraints
- Policy Constraints
- Extended Key Usage
- Inhibit anyPolicy
Do not use an extension other than those listed above.
Note: Device Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with
a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the
security certificate issued by a trusted root certificate authority for your
Device Manager - Storage Navigator domain. HSTS is valid for one year
(31,536,000 seconds), and it is renewed automatically every time the HSTS header is
sent to the browser. The security certificate to use is determined by the browser.
For details, contact your browser vendor.
Note: If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.