Method and apparatus for authenticating connections to a storage system coupled to a network
First Claim
1. A data management method for managing access to a storage system by a device, the method comprising steps of:
- transmitting from the storage system, to the at least one of the plurality of devices, at least one expected identifier to be included in at least one subsequent request issued by the at least one of the plurality of devices to the storage system to indicate that the at least one request has been issued by the at least one of the plurality of devices; and
receiving at the storage system, from the at least one of the plurality of devices, at least one request including the at least one expected identifier indicating that the at least one request has been issued by the at least one of the plurality of devices.
7 Assignments
0 Petitions
Accused Products
Abstract
A data management technique for managing accesses to data at a shared storage system includes a filter at the storage system. The filter is coupled to a configuration table, which identifies which of a number of coupled host processors have accesses to each of the resources at the device. During operation, requests received from the host devices are filtered by the filter, and only those requests to resources that the individual host devices have privilege to access are serviced. Advantageously, data security is further enhanced by authenticating each of the requests received by the storage system to verify that the host processor that is represented as forwarding the request is the indicated host processor. In addition, transfers of data between the storage system and the host processor may be validated to ensure that data was not corrupted during the data transfer.
-
Citations
60 Claims
-
1. A data management method for managing access to a storage system by a device, the method comprising steps of:
-
transmitting from the storage system, to the at least one of the plurality of devices, at least one expected identifier to be included in at least one subsequent request issued by the at least one of the plurality of devices to the storage system to indicate that the at least one request has been issued by the at least one of the plurality of devices; and
receiving at the storage system, from the at least one of the plurality of devices, at least one request including the at least one expected identifier indicating that the at least one request has been issued by the at least one of the plurality of devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
assigning, at the storage system, an expected identifier for each one of the series of requests expected to be initiated by the device;
prior to initiation of each of the series of requests by the device, forwarding the expected identifier associated with each request from the storage system to the device; and
for each request received at the storage system, comparing an identifier received with the request to the expected identifier associated with the request to authenticate the request.
-
-
3. The method according to claim 2, wherein the step of selectively servicing each request includes a step of forwarding a new expected identifier to the device for a subsequent request.
-
4. The method according to claim 2, wherein the storage system and the device each stores an encryption access key, and wherein the step of authentication further comprises a step of:
comparing an encrypted identifier received at the storage system with an expected identifier at the storage system to verify that the device that issued the request has the access key and the identifier.
-
5. The method according claim 4, wherein the encrypted identifier is encrypted by the device using the encryption access key prior to receipt of the encrypted identifier by the storage system, and wherein the step of authenticating further includes the step of encrypting the expected identifier at the storage device using the encryption access key prior to comparing the encrypted identifier with the expected identifier.
-
6. The method according to claim 4, wherein the encrypted identifier is encrypted by the device using the encryption access key prior to receipt of the encrypted identifier by the storage system, and wherein the step of authenticating further includes the step of decrypting the expected identifier at the storage device using the encryption access key prior to comparing the encrypted identifier with the expected identifier.
-
7. The method according to claim 3, wherein the device and the storage system communicate according to the Small Component System Interconnect (SCSI) protocol, and wherein the step of selectively servicing the request includes a step of forwarding the new expected identifier in a session identifier field of a packet in the SCSI protocol.
-
8. The method according to claim 2, wherein the storage system is apportioned into a plurality of volumes, and wherein a plurality of devices are coupled to the storage system by an interconnect, and wherein the method further comprises a step of:
storing, in a configuration database, configuration information for each one of the plurality of devices that has access to the storage system, the configuration data indicating which of the plurality of devices is authorized to access which ones of a plurality of the volumes of data at the storage system.
-
9. The method according to claim 8, further comprising a step of storing in a table, for each one of the plurality of devices, a list of the expected identifiers assigned to the associated one of the plurality of devices.
-
10. The method according to claim 2, wherein the method further comprises a step of generating a random number to provide at least one of the expected identifiers.
-
11. The method according to claim 2, wherein a plurality of devices are coupled to the storage system by an interconnect, and wherein the method further comprises the steps of:
-
generating a sequence of random numbers; and
distributing random numbers from the sequence of random numbers among the plurality of devices.
-
-
12. The method according to claim 2, wherein a series of one or more transactions is exchanged by the device and the storage system, and wherein the method further comprises a step of validating each of the series of transactions to ensure that the contents of each of the transactions are not altered during transit.
-
13. The method according to claim 12, wherein each transaction comprises a request issued from the device to the storage system and a response issued from the storage system to the device, and wherein the step of validating further comprises steps of:
-
maintaining, at the storage system, a first checksum of data forwarded to the device when servicing the series of transactions;
receiving, at the storage system, a second checksum from the device, the second checksum reflecting the data received by the device during the series of transactions; and
comparing the first checksum and the second checksum to validate the series of transactions.
-
-
14. The method according to claim 12, wherein the step of validating further comprises steps of:
-
maintaining, at the storage system, a first checksum of data received from the device when servicing each transaction in the series of transactions;
receiving, at the storage system, a second checksum from the device, the second checksum reflecting the data forwarded by the device during the series of transactions; and
comparing the first checksum and the second checksum to validate the series of transactions.
-
-
15. The method according to claim 12, wherein the step of validating further comprises steps of:
-
maintaining, at the device, a first checksum of data forwarded to the storage system when forwarding a series of transactions;
receiving, at the device, a second checksum from the storage system, the second checksum reflecting the data received by the storage system during the series of transactions; and
comparing the first checksum and the second checksum to validate the series of transactions.
-
-
16. The method according to claim 10, wherein the step of validating further comprises steps of:
-
maintaining, at the device, a first checksum of data received from the storage system in the series of transactions;
receiving, by the device, a second checksum from the storage system, the second checksum reflecting the data forwarded by the storage system during the series of transactions; and
comparing the first checksum and the second checksum to validate the series of transactions.
-
-
17. A method for managing access by at least one of a plurality of devices to a storage system coupled to the at least one of a plurality of devices by a network, the storage system including a plurality of storage devices, the method comprising steps of:
-
receiving, from the storage system, at the at least one of the plurality of devices, at least one expected identifier to be included in at least one subsequent request issued by the at least one of the plurality of devices to the storage system to indicate that the at least one of the plurality of devices issued the request; and
issuing, from the at least one of the plurality of devices, at least one request to the storage system, the at least one request including the at least one expected identifier indicating that the at least one request has been issued by the at least one of the plurality of devices. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 26)
issuing, from the device, a series of requests to the storage system, wherein each request in the series of requests includes a different expected identifier.
-
-
19. The method according to claim 17, further comprising a step of encrypting the expected identifier to provide an encrypted expected identifier, and wherein the step of issuing the request includes a step of forwarding the encrypted expected identifier to the storage system.
-
20. The method according to claim 17, wherein the device and the storage system are coupled by a network, and wherein the method further includes a step of issuing the request from the device to the storage system over the network.
-
21. The method according to claim 20, wherein the step of issuing the request further includes a step of issuing the request from the device to the storage system according to a Fibre Channel protocol.
-
22. The method according to claim 17, wherein the storage system comprises a plurality of disk devices apportioned into a plurality of volumes, and wherein the step of issuing includes a step of issuing the at least one request to be directed to one of the plurality of volumes in the plurality of disk devices to the storage system.
-
23. The method according to claim 17, wherein the device is a host processor coupled to the storage system over a network, and wherein the step of issuing the at least one request includes a step of forwarding the request from the host processor to the storage system over the network according to a Fibre Channel protocol.
-
24. The method according to claim 17, wherein the device is a file server coupled to the storage system over a network, and wherein the step of issuing the at least one request includes the step of forwarding the request from the file server to the storage system over the network according to a Fibre Channel protocol.
-
26. The host computer according to claim 17, wherein the controller issues a series of requests to the storage system, each request in the series of requests including a different expected identifier.
-
25. A host computer for use in a computer system including a storage system having a plurality of storage devices, and a network that couples the host computer to the storage system, the host computer comprising:
-
a port to receive from the storage system at least one expected identifier to be included in at least one subsequent request to the storage system; and
a controller to issue at least one request for access to the storage system, the at least one request including the at least one expected identifier to indicate that the request is being issued by the host computer. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
a port to receive at least one additional expected identifier to be included in at least one subsequent request from the at least one additional host to the storage system; and
a controller to issue at least one request from the at least one additional host to the storage system, the at least one request including the additional expected identifier.
-
-
31. The combination according to claim 30, wherein the controller of the at least one host and the controller of the at least one additional host both issue requests according to a Fibre Channel network protocol.
-
32. The combination according to claim 28, wherein the storage system comprises a plurality of disk devices.
-
33. The combination according to claim 28, wherein the host computer is a file server.
-
34. A storage system comprising:
-
at least one storage device; and
an adapter to interface the storage system with a plurality of devices coupled to the storage system, the adapter to transmit to the at least one of the plurality of devices at least one expected identifier, and to receive the at least one expected identifier included in at least one subsequent request from the at least one of the plurality of devices to indicate that the at least one of the plurality of devices has issued the request, so that the adapter authenticates the at least one request from the at least one of the plurality of devices to verify that the at least one request was issued from the at least one of the plurality of devices; and
wherein the adapter is arranged to selectively forward the at least one request to the at least one storage device for servicing responsive to authentication of the at least one request. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
a random number generator, coupled to the authentication table, the random number generator generating expected identifiers for inclusion in the list.
-
-
40. The storage system according to claim 37, further comprising:
an encrypter, coupled to the authentication table, to encrypt the expected identifiers in the list.
-
41. The storage system according to claim 37, further comprising:
a comparator to compare at least one authentication identifier received from the at least one device against the at least one expected identifier in the list.
-
42. The storage system according to claim 34, further comprising:
a digital signature unit, coupled to the adapter, to maintain a checksum of responses forwarded from the storage system to one of the plurality of devices.
-
43. The storage system according to claim 42, wherein the adapter further comprises:
means for comparing a checksum received from one of the plurality of devices against the checksum maintained at the digital signature unit for the one of the plurality of devices to determine the validity of data received from the one of the plurality of devices.
-
44. The storage system according to claim 34, in combination with the plurality of devices and a network that couples the storage system to the plurality of devices.
-
45. The combination according to claim 44, wherein the network operates according to a Fibre Channel protocol.
-
46. The storage system according to claim 34, wherein the at least one storage device includes at least one disk drive.
-
47. The combination of claim 44, wherein one of the plurality of devices is a host processor.
-
48. The combination of claim 44 wherein one of the plurality of devices is a file server.
-
49. An adapter for use in a device to authenticate a connection between the device and a storage system, the adapter comprising:
-
a data structure comprising at least one entry to store at least one unique identifier provided by the storage system; and
a controller to issue at least one request to the storage system, wherein the request includes the at least one unique identifier, thereby indicating that the at least one request is being issued from the device, so that the storage system can use the at least one unique identifier to authenticate the connection between the device and the storage system. - View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
an encrypter to encrypt the at least one unique identifier prior to forwarding the at least one identifier with the at least one request.
-
-
52. The adapter according to claim 49, wherein the at least one request comprises a packet of data comprising a plurality of fields, wherein the packets are formatted according to the Small Component System Interconnect (SCSI) protocol, wherein one of the plurality of fields of the packet is a session identifier field, and wherein the controller includes the at least one unique identifier in the session identifier field of the at least one request.
-
53. The adapter according to claim 52, further means for extracting a new unique identifier from a packet received from the storage system, and means for storing the new unique identifier in the data structure.
-
54. The adapter according to claim 49, further comprising:
a digital signature unit to maintain a checksum of data received from the storage system in response to the at least one request to validate that the data was not altered during transit.
-
55. The adapter according to claim 54, further comprising:
-
means for forwarding the checksum to the storage system;
means for receiving status information from the storage system indicative of whether the checksum forwarded by the adapter matched a checksum generated at the storage system; and
means, responsive to the status information, for re-issuing the at least one request by the adapter.
-
-
56. The adapter according to claim 49, in combination with the storage system and a network that couples the adapter to the storage system.
-
57. The combination according to claim 56, wherein the network is a Fibre Channel network.
-
58. The combination according to claim 56, wherein the storage system includes at least one disk drive.
-
59. The adapter according to claim 49, in combination with a host processor and a network, wherein the adapter couples the host processor to the network.
-
60. The adapter according to claim 49, in combination with a file server and a network, wherein the adapter couples the file server to the network.
Specification