Command processing system by a management agent

US 20040111391A1
Filed: 08/08/2003
Published: 06/10/2004
Est. Priority Date: 11/08/2002
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising a computer, a storage subsystem, and a management computer, so arranged that the management computer comprises a control unit that issues commands for managing the computer or the storage subsystem and an interface unit that sends the commands to the computer or the storage subsystem;

and the storage subsystem comprises an interface unit that receives commands from the management computer and a control unit that determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system where a management application sends commands to a remotely-located agent over a network, the agent maintains a security specification table defining the security level for each combination of the cipher and authentication algorithms of the communication path to/from the management application and a required security level table defining the minimum security level required for the execution of each command. Upon receiving a command from the management application, the agent obtains, by referencing these tables, the operational security level of the communication path and the required security level for the command, and executes the command only if the former is greater than or equal to the latter. This mechanism ensures high security in system management by preventing a malicious intruder from executing potent commands that can cause a down of a computer system, without unreasonably limiting the use of the management application by the system administrator.

35 Citations

View as Search Results

22 Claims

1. A computer system comprising a computer, a storage subsystem, and a management computer, so arranged that the management computer comprises a control unit that issues commands for managing the computer or the storage subsystem and an interface unit that sends the commands to the computer or the storage subsystem;
- and the storage subsystem comprises an interface unit that receives commands from the management computer and a control unit that determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A computer system of claim 1, wherein the control unit of the storage subsystem determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem and also on the type of the commands.
  - 3. A computer system of claim 2, wherein the type of the communication path is specifically the level of security of the communication path and the type of the command is specifically the security level required for its execution.
  - 4. A computer system of claim 3, wherein the level of security of the communication path is determined by the kind of the cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
  - 5. A computer system of claim 3, wherein the level of security of the communication path is determined by the strength or robustness of the cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
  - 6. A computer system of claim 3, wherein the level of security of the communication path is determined by the key length of the cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
  - 7. A computer system of claim 3, wherein the security level required for the execution of the command is determined by the kind of the data contained in the storage area that is subject to the operation based on the command.
  - 8. A computer system of claim 3, wherein a higher level of security for execution is assigned to commands that can delete or erase the contents of the storage area that is subject to the operation based on them than to commands that would not.
  - 9. A computer system of claim 3, wherein the storage subsystem further comprises a memory that stores tables indicating the security levels of the communication paths and the security levels required for the execution of the commands.

10. A storage subsystem comprising:
- a data storage area, an interface unit that receives management commands from a management computer, and a control unit that determines whether to permit the execution of the management commands against the data storage area, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of such commands.

11. A management computer for managing a computer, a storage subsystem, and a connection control unit that controls the connection between the computer and the storage subsystem, each of these three being generically called a device, the management computer comprising:
- a control unit that issues commands for managing the device, and an interface unit that sends the commands to the device;
  
  the control unit being designed to determine whether or not to issue or send the commands to the device, based on the security level of the communication path to and from the device and also on the security level required for the execution of the commands.
- View Dependent Claims (12)
- - 12. A management computer of claim 11, further comprising a memory that stores tables indicating the security levels of the communication paths and the security levels required for the execution of the commands.

13. A computer system comprising a computer, a storage subsystem, a connection control unit that controls the connection between the computer and the storage subsystem, and a management computer that manages the computer, the storage subsystem, and the connection control unit;
- the management computer comprising a control unit that issues commands for managing the computer, the storage subsystem, or the connection control unit, these three being generically called the device, and an interface unit that sends the commands to the device; and
  
  each of the devices comprising an interface unit that receives the commands from the. computer and a control unit that determines whether to execute them, based on the type of the communication path between the management computer and the device and also on the type of the commands.
- View Dependent Claims (14)
- - 14. A computer system of claim 13, wherein the device further comprises a memory that stores tables indicating the security levels of the communication paths and the security levels required for the execution of the commands.

15. A program providing a storage subsystem having a data storage area with:
- a capability to receive commands from a management computer, and a capability to determine whether to permit the execution of the commands against the data storage area, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of the commands.
- View Dependent Claims (17)
- - 17. A storage medium storing a program of claim 15 and being readable by the storage subsystem.

16. An access management method for managing access requests for a storage subsystem comprising the operations of:
- receiving commands from a management computer, and determining whether to permit the execution of the commands against a storage area of the storage subsystem, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of the commands.

18. A command processing system for processing commands sent through a communication path between a management application and a management agent, comprising:
- a memory that stores a first table pre-registering the security levels of the communication path between the management application and the management agent and a second table pre-registering the security levels required for the execution of commands that the management application requests the management agent to execute;
  
  a first means of obtaining, for each command sent from the management application to the management agent, the operational security level for the command by referencing the first table;
  
  a second means of obtaining, for each command sent from the management application to the management agent, the required security level by referencing the second table;
  
  a third means of comparing the operational security level obtained by the first means and the required security level obtained by the second means; and
  
  a fourth means of determining whether to permit the execution of the command based on the result of the comparison made by the third means.
- View Dependent Claims (19, 20, 21, 22)
- - 19. A command processing system of claim 18, wherein the first table lists the cipher algorithms and the authentication algorithms used on the communication path between the management application and the management agent, together with the security level assigned to each combination of the cipher and authentication algorithms.
  - 20. A command processing system of claim 18, wherein the second table lists the commands defined between the management application and the management agent, together with the security level required for the execution of each of the commands.
  - 21. A command processing system of claim 18, wherein the fourth means grants permission for command execution when the comparison made by the third means indicates that the operational security level is greater than or equal to the required security level.
  - 22. A command processing system of claim 18, wherein the memory further stores a third table registering the history of the commands issued from the management application to the management agent and a fourth table holding the security level uplift value for each client ID that is determined according to the result of judgment (execution permitted or rejected) recorded in the third table;
    - a means is provided for adding the security level uplift value obtained from the fourth table to the required security level obtained by the second means; and
      
      the required security level thus modified is used in the comparison using the third means.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kaneda, Yasunori, Fujita, Takahiro

Granted Patent

US 7,257,843 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/1
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

Y10S 707/99939   Privileged access

Command processing system by a management agent

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

35 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Command processing system by a management agent

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

35 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links