Computer system, management computer and data management method

US 20060090072A1
Filed: 01/24/2005
Published: 04/27/2006
Est. Priority Date: 10/27/2004
Status: Abandoned Application

First Claim

Patent Images

1. A computer system comprising a computer which executes a job, a storage apparatus which is connected with said computer and which has a memory area for storing encrypted data which is encrypted to data used by said computer, a encryption-decryption apparatus which performs encryption-decryption to the data stored in said storage apparatus and a management computer which manages said computer, said storage apparatus and said encryption-decryption apparatus, wherein said management computer judges the necessity of the decryption of the data which is stored per each job in said storage apparatus to an execution request for the job of said computer;

decrypts said encrypted data and sets up a first path between said computer and said storage apparatus for providing said computer with the decrypted data to an execution request for a first job from the computer;

sets up a second path for providing said computer with said encrypted data without performing the decryption to an execution request for a second job from the computer, and said computer acquires the data relating to said first job in a decrypted state through said first path and acquires the data of an encrypted state through said second path to said execution request for the second job.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

With respect to an administrator in a data management system, although an authority to see contents of data is not granted depending on a job of the administrator, it is necessary to acquire information of a volume in order to replicate the data on a computer in a job such as a replication of the data at the time of managing a storage system, and since the data can also be operated by the administrator who replicates the data, there is a problem from the view point of security.

A volume to encrypt and decrypt is determined by a user management program 112 of a management computer 100 according to a user'"'"'s job. Further, as to whether to encrypt or whether to decrypt, a command of yes/no of the encryption and decryption is given to an encryption apparatus in accordance with the authority in an application of the user so as to perform the job such as performing the data replication by the encrypted data. Moreover, when it seems not possible to judge the encryption and decryption by the encryption apparatus, a path is set up without passing through the encryption apparatus so as to have a host recognize the data as is encrypted.

8 Citations

View as Search Results

17 Claims

1. A computer system comprising a computer which executes a job, a storage apparatus which is connected with said computer and which has a memory area for storing encrypted data which is encrypted to data used by said computer, a encryption-decryption apparatus which performs encryption-decryption to the data stored in said storage apparatus and a management computer which manages said computer, said storage apparatus and said encryption-decryption apparatus, wherein said management computer judges the necessity of the decryption of the data which is stored per each job in said storage apparatus to an execution request for the job of said computer;
- decrypts said encrypted data and sets up a first path between said computer and said storage apparatus for providing said computer with the decrypted data to an execution request for a first job from the computer;
  
  sets up a second path for providing said computer with said encrypted data without performing the decryption to an execution request for a second job from the computer, and said computer acquires the data relating to said first job in a decrypted state through said first path and acquires the data of an encrypted state through said second path to said execution request for the second job.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A computer system according to claim 1, wherein said second path is a different path from the path up to said storage apparatus which is set up through the encryption-decryption apparatus according to the job of the computer for the encrypted data which is stored in said storage apparatus, and said computer acquires the data relating to said second job without passing through said encryption-decryption apparatus.
  - 3. A computer system according to claim 1, wherein it is judged whether or not a state of said management computer to said encryption-decryption apparatus is set so as not to decrypt the data according to said memory area when the decryption is not performed to the data of said memory area by the first job or second job of said computer;
    - said processing without decryption is chosen when the state of said management computer to said encryption-decryption apparatus is set so as not to decrypt the data; and
      
      a path is chosen for connecting said storage apparatus and said computer by the path where the data is not decrypted when it is not possible to choose said processing without decryption.
  - 4. A computer system according to claim 3, wherein it is judged whether or not the state of said management computer to said encryption-decryption apparatus is set so as not to perform the encryption according to said memory area when the encryption is not performed to the data of said memory area by the first job or second job of said computer;
    - said processing without encryption is chosen when the state of said management computer to said encryption-decryption apparatus is set so as not to encrypt the data; and
      
      a path is chosen for connecting said storage apparatus and said computer by the path where the data is not encrypted when it is not possible to choose said processing without encryption.
  - 5. A computer system according to claim 1, wherein the second job of said computer is a data replication, and when the data replication is performed by said computer, setting of said management computer to said encryption-decryption apparatus is the one which replicates said data separately on said memory area as is encrypted without decrypting the data.
  - 6. A computer system according to claim 5, wherein due to the setting of said management computer to said encryption-decryption apparatus, a file in the data of said memory area is detected;
    - information of said file is transmitted to the computer which performs the data replication when said data replication is performed per unit of said memory area; and
      
      the computer which performs said data replication reflects the information of said file to information of the replicated memory area.
  - 7. A computer system according to claim 6, wherein due to the setting of said management computer to said encryption-decryption apparatus;
    - when data detection is performed by said computer in order to detect a portion of data out of the data after the replication of a volume and when a unit of the data detection is a file, the second job of said computer detects the file in the data of said volume;
      
      information of said file is transmitted to the computer which performs the data detection;
      
      the computer which performs said data detection makes the data replication information of the replicated memory area correspond to the information of said file; and
      
      said file is transmitted to a request source of the data detection.
  - 8. A computer system according to claim 1, wherein said encryption-decryption apparatus is comprised in either said computer or said storage apparatus, or on the path between said computer and said storage apparatus.
  - 9. A computer system according to claim 4, wherein the processing for judging whether or not it is said setting of no decryption and choosing the connection by said path of no decryption;
    - and also judging whether or not it is said setting of no encryption and choosing the connection by said path of no encryption, is performed based on the information of said management computer.
  - 10. A computer system according to claim 2, wherein it is judged by said management computer in accordance with the first job or second job of said computer whether or not it is possible to set yes/no of execution of the encryption and the decryption to the data by changing over the path between said computer and said storage apparatus;
    - when said setting is possible, a command to carry out said setting is given by said management computer to a switch which changes over the path between said computer and said storage apparatus; and
      
      the changeover of said path is performed by said switch for carrying said setting.
  - 11. A computer system according to claim 3, wherein said judgment whether or not the setting is the one without decryption is made based on management information which manages yes/no of execution of the decryption to the data in accordance with the first job or second job of said computer and a combination of requested said memory areas of said first job or second job so as to judge by said management computer whether or not said combination is the setting of no decryption of the data, and with respect to the choice of connecting by said path of no decryption:
    - when it is judged by said management computer that said combination is the setting of no decryption of the data, a command of not executing the decryption is given by said management computer to the encryption-decryption apparatus which changes over and executes respectively yes/no of the encryption and decryption of the data;
      
      processing without decryption of the data which has been encrypted by said encryption-decryption apparatus and has been saved in said memory area is chosen; and
      
      when it is not possible to choose said processing without decryption to the encryption-decryption apparatus which can not change over and execute respectively yes/no of the encryption and decryption of the data, a command is given by said management computer to the switch which changes over the path between said computer and said storage apparatus; and
      
      the path is chosen by said switch for connecting said storage apparatus and said computer by the path of no decryption of the data.
  - 12. A computer system according to claim 4, wherein said judgment whether or not the setting is the one without encryption is made based on the management information which manages yes/no of execution of the encryption to the data in accordance with the first job or second job of said computer and the combination of requested said memory areas of said first job or second job so as to judge by said management computer whether or not said combination is the setting of no encryption of the data, and with respect to the choice of connecting by said path of no encryption:
    - when it is judged by said management computer that said combination is the setting of no encryption of the data, a command of not executing the encryption is given by said management computer to the encryption-decryption apparatus which changes over and executes respectively yes/no of the encryption and decryption of the data;
      
      processing without encryption of the data which has been encrypted by said encryption-decryption apparatus and has been saved in said memory area is chosen; and
      
      when it is not possible to choose said processing without encryption to the encryption-decryption apparatus which can not change over and execute respectively yes/no of the encryption and decryption of the data, a command is given by said management computer to the switch which changes over the path between said computer and said storage apparatus; and
      
      the path is chosen by said switch for connecting said storage apparatus and said computer by the path of no encryption of the data.

13. A management computer to manage a computer which executes a job, a storage apparatus which is connected with said computer and which has a memory area for storing encrypted data which is encrypted to data used by said computer and a encryption-decryption apparatus which performs encryption-decryption to the data stored in said storage apparatus comprising:
- a communication interface which is connected with said computer, said storage apparatus and said encryption-decryption apparatus through a network and which performs communication with the outside; and
  
  a control portion which is connected with said communication interface and which is responsible for controlling, wherein said control portion judges the necessity of the decryption of the data to be stored per each job in said storage apparatus to an execution request for the job of said computer;
  
  decrypts said encrypted data and sets up a first path between said computer and said storage apparatus for providing said computer with the decrypted data to an execution request for a first job from the computer;
  
  sets up a second path for providing said computer with said encrypted data without performing the decryption to an execution request for a second job from the computer; and
  
  makes said computer acquire the data relating to said first job in a decrypted state through said first path and acquire the data of an encrypted state through said second path to the execution request for said second job.
- View Dependent Claims (14, 15, 16)
- - 14. A management computer according to claim 13, wherein said second path is a different path from the path up to said storage apparatus which is set up through the encryption-decryption apparatus according to the job of the computer for the encrypted data which is stored in said storage apparatus, and said computer is made to acquire the data relating to said second job without passing through said encryption-decryption apparatus.
  - 15. A management computer according to claim 13, wherein said control portion judges whether or not said combination is the setting of no decryption of the data based on management information which manages yes/no of the execution of the decryption to the data in accordance with the first job or second job of said computer and a combination of requested said memory areas of said fist job or second job;
    - said control portion commands said encryption-decryption apparatus not to execute the decryption when it is judged that said combination is the setting of no decryption of the data; and
      
      said control means gives a command to a switch which changes over the path between said computer and said storage apparatus such that said storage apparatus and said computer are connected by the path of no decryption of the data when it is not possible to perform said processing without decryption to the encryption-decryption apparatus which can not change over and execute respectively yes/no of the encryption and decryption of the data.
  - 16. A management computer according to claim 13, wherein said control portion judges whether or not said combination is the setting of no encryption of the data based on management information which manages yes/no of the execution of the encryption to the data in accordance with the first job or second job of said computer and the combination of requested said memory areas of said first job or second job;
    - said control portion commands said encryption-decryption apparatus not to execute the encryption when it is judged that said combination is the setting of no encryption of the data; and
      
      said control means gives a command to the switch which changes over the path between said computer and said storage apparatus such that said storage apparatus and said computer are connected by the path of no encryption of the data when it is not possible to perform said processing without encryption to the encryption-decryption apparatus which can not change over and execute respectively yes/no of the encryption and decryption of the data.

17. A data management method of performing management by a management computer to a computer which executes a job, a storage apparatus which is connected with said computer and which has a memory area for storing encrypted data which is encrypted to data used by said computer and a encryption-decryption apparatus which performs encryption-decryption to the data stored in said storage apparatus, wherein said management computer. judges the necessity of the decryption of the data to be stored per each job in said storage apparatus to an execution request for the job of said computer;
- decrypts said encrypted data and sets up a first path between said computer and said storage apparatus for providing said computer with the decrypted data to an execution request for a first job from the computer;
  
  sets up a second path for providing said computer with said encrypted data without performing the decryption to an execution request for a second job from the computer; and
  
  makes said computer acquire the data relating to said first job in a decrypted state through said first path and acquire the data of an encrypted state through said second path to said execution request for the second job.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kaneda, Yasunori, Nagai, Takayuki, Asano, Masayasu

Application Number

US11/039,807
Publication Number

US 20060090072A1
Time in Patent Office

Days
Field of Search
US Class Current

713/168
CPC Class Codes

G06F 11/1451 by selection of backup cont...

G06F 21/6218 to a system of files or obj...

Computer system, management computer and data management method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

8 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Computer system, management computer and data management method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links