Command processing system by a management agent
First Claim
1. A computer system comprising a computer, a storage subsystem, and a management computer, so arranged that the management computer comprises a control unit that issues commands for managing the computer or the storage subsystem and an interface unit that sends the commands to the computer or the storage subsystem;
- and the storage subsystem comprises an interface unit that receives commands from the management computer and a control unit that determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem.
1 Assignment
0 Petitions
Accused Products
Abstract
In a system where a management application sends commands to a remotely-located agent over a network, the agent maintains a security specification table defining the security level for each combination of the cipher and authentication algorithms of the communication path to/from the management application and a required security level table defining the minimum security level required for the execution of each command. Upon receiving a command from the management application, the agent obtains, by referencing these tables, the operational security level of the communication path and the required security level for the command, and executes the command only if the former is greater than or equal to the latter. This mechanism ensures high security in system management by preventing a malicious intruder from executing potent commands that can cause a down of a computer system, without unreasonably limiting the use of the management application by the system administrator.
-
Citations
22 Claims
-
1. A computer system comprising a computer, a storage subsystem, and a management computer,
so arranged that the management computer comprises a control unit that issues commands for managing the computer or the storage subsystem and an interface unit that sends the commands to the computer or the storage subsystem; - and
the storage subsystem comprises an interface unit that receives commands from the management computer and a control unit that determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- and
-
10. A storage subsystem comprising:
-
a data storage area, an interface unit that receives management commands from a management computer, and a control unit that determines whether to permit the execution of the management commands against the data storage area, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of such commands.
-
-
11. A management computer for managing a computer, a storage subsystem, and a connection control unit that controls the connection between the computer and the storage subsystem, each of these three being generically called a device, the management computer comprising:
-
a control unit that issues commands for managing the device, and an interface unit that sends the commands to the device;
the control unit being designed to determine whether or not to issue or send the commands to the device, based on the security level of the communication path to and from the device and also on the security level required for the execution of the commands. - View Dependent Claims (12)
-
-
13. A computer system comprising a computer, a storage subsystem, a connection control unit that controls the connection between the computer and the storage subsystem, and a management computer that manages the computer, the storage subsystem, and the connection control unit;
-
the management computer comprising a control unit that issues commands for managing the computer, the storage subsystem, or the connection control unit, these three being generically called the device, and an interface unit that sends the commands to the device; and
each of the devices comprising an interface unit that receives the commands from the. computer and a control unit that determines whether to execute them, based on the type of the communication path between the management computer and the device and also on the type of the commands. - View Dependent Claims (14)
-
-
15. A program providing a storage subsystem having a data storage area with:
-
a capability to receive commands from a management computer, and a capability to determine whether to permit the execution of the commands against the data storage area, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of the commands. - View Dependent Claims (17)
-
-
16. An access management method for managing access requests for a storage subsystem comprising the operations of:
-
receiving commands from a management computer, and determining whether to permit the execution of the commands against a storage area of the storage subsystem, based on the security level of the communication path to and from the management computer and also on the security level required for the execution of the commands.
-
-
18. A command processing system for processing commands sent through a communication path between a management application and a management agent, comprising:
-
a memory that stores a first table pre-registering the security levels of the communication path between the management application and the management agent and a second table pre-registering the security levels required for the execution of commands that the management application requests the management agent to execute;
a first means of obtaining, for each command sent from the management application to the management agent, the operational security level for the command by referencing the first table;
a second means of obtaining, for each command sent from the management application to the management agent, the required security level by referencing the second table;
a third means of comparing the operational security level obtained by the first means and the required security level obtained by the second means; and
a fourth means of determining whether to permit the execution of the command based on the result of the comparison made by the third means. - View Dependent Claims (19, 20, 21, 22)
-
Specification