Setting up SSL encryption using Device Manager - Storage Navigator

System Administrator Guide for Virtual Storage Platform E Series

Version
93-07-0x
Audience
anonymous
Part Number
MK-97HM85028-18

To improve security of remote operations from a Device Manager - Storage Navigator SVP to a storage system, you can set up Secure Sockets Layer (SSL) encrypted communication. By setting SSL encryption, the Device Manager - Storage Navigator User ID and Password are encrypted.

SSL communication can be established between the management client and the SVP using the protocols and port numbers specified in the following table.

Protocol Port Number
HTTPS 443
RMI

1099

RMI

51100-51355

When a storage system is registered, an unused port number in this range is automatically allocated, and a firewall is set. The allocated port number is used when the storage system starts.

SMI-S

5989-6244

When a storage system is registered, an unused port number in this range is automatically allocated, and a firewall is set. The allocated port number is used when the storage system starts.

SSL communication can be established between the following servers and the SVP:

  • Key management server
  • External authentication or authorization server
  • Hitachi Ops Center server
  • Hitachi Command Suite server
Note: To enable SSL, the private and public key pair and SVP server certificate must be valid. If either the keys or the certificate is expired, the user cannot connect to the SVP.
Note: The extended profile fields in the X.509 certificate support the following items as specified in RFC5280:
  • BasicConstraints
  • KeyUsage
  • SubjectKeyIdentifier
In addition, if you use a key management server (KMS) and an external authentication or authorization server for VSP E series with DKCMAIN firmware version 93-06-22 or later, the following extensions are also supported:
  • Authority Key Identifier
  • Certificate Policies
  • Subject Alternative Name
  • Name Constraints
  • Policy Constraints
  • Extended Key Usage
  • Inhibit anyPolicy

Do not use an extension other than those listed above.

Note: To add the Secure attribute to cookies using Device Manager - Storage Navigator, you must block HTTP communication. For details, see Blocking HTTP communication to the SVP.
Note: Device Manager - Storage Navigator supports HTTP Strict Transport Security (HSTS) with a max range of 31,536,000 seconds (1 year). To enable HSTS, you must use the security certificate issued by a trusted root certificate authority for your Device Manager - Storage Navigator domain. HSTS is valid for one year (31,536,000 seconds), and it is renewed automatically every time the HSTS header is sent to the browser. The security certificate to use is determined by the browser. For details, contact your browser vendor.
Note: If HSTS is enabled on a Web application on a server you wish to install Device Manager - Storage Navigator, use a domain that is written to the security certificate specific to each application. If you use the same domain, the HSTS settings are applied to all Web applications that use the domain, and all connections are switched to https. If you have an application that can be accessed only through http, you cannot establish the connection.