Command processing system by a management agent

US 7,257,843 B2
Filed: 08/08/2003
Issued: 08/14/2007
Est. Priority Date: 11/08/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A computer system comprising:

a computer, a storage subsystem, and a management computer,wherein the management computer comprises a control unit that issues management commands for managing the computer or the storage subsystem and an interface unit that sends the management commands to the computer or the storage subsystem;

wherein the storage subsystem comprises an interface unit that receives management commands from the management computer and a control unit that determines whether to permit execution of the management commands against part or all of a storage area of the storage subsystem, based on a type of a communication path between the management computer and the storage subsystem; and

wherein the type of communication path includes a security level assigned to that communication path, and the determination whether to permit execution of the management commands includes determining whether the security level of the communication path meets or exceeds an execution security level of the management command, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a system where a management application sends commands to a remotely-located agent over a network, the agent maintains a security specification table defining the security level for each combination of the cipher and authentication algorithms of the communication path to/from the management application and a required security level table defining the minimum security level required for the execution of each command. Upon receiving a command from the management application, the agent obtains, by referencing these tables, the operational security level of the communication path and the required security level for the command, and executes the command only if the former is greater than or equal to the latter. This mechanism ensures high security in system management by preventing a malicious intruder from executing potent commands that can cause a down of a computer system, without unreasonably limiting the use of the management application by the system administrator.

Citations

15 Claims

1. A computer system comprising:
- a computer, a storage subsystem, and a management computer,wherein the management computer comprises a control unit that issues management commands for managing the computer or the storage subsystem and an interface unit that sends the management commands to the computer or the storage subsystem;
  
  wherein the storage subsystem comprises an interface unit that receives management commands from the management computer and a control unit that determines whether to permit execution of the management commands against part or all of a storage area of the storage subsystem, based on a type of a communication path between the management computer and the storage subsystem; and
  
  wherein the type of communication path includes a security level assigned to that communication path, and the determination whether to permit execution of the management commands includes determining whether the security level of the communication path meets or exceeds an execution security level of the management command, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A computer system of claim 1, wherein the control unit of the storage subsystem determines whether to permit the execution of the commands against part or all of the storage area of the storage subsystem, based on the type of the communication path between the management computer and the storage subsystem and also on the type of the commands.
  - 3. A computer system of claim 1, wherein the level of security of the communication path is determined by a strength or robustness of a cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
  - 4. A computer system of claim 1, wherein the level of security of the communication path is determined by a key length of a cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
  - 5. A computer system of claim 1, wherein the security level required for the execution of the command is determined by a kind of data contained in the storage area that is subject to an operation based on the command.
  - 6. A computer system of claim 1, wherein a higher level of security for execution is assigned to commands that can delete or erase contents of the storage area, subject to an operation based on the commands, than is assigned to other commands.
  - 7. A computer system of claim 1, wherein the storage subsystem further comprises a memory that stores tables indicating the security levels of the communication paths and the security levels required for execution of the commands.

8. A storage subsystem comprising:
- a data storage area,an interface unit that receives management commands from a management computer, anda control unit that determines whether to permit execution of the management commands against the data storage area, based on whether an assigned security level of a communication path meets or exceeds an execution security level required for the execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.

9. A management computer for managing a computer, a storage subsystem, and a connection control unit that controls a connection between the computer and the storage subsystem, each of these three being generically called a device, the management computer comprising:
- a control unit that issues management commands for managing the device, andan interface unit that sends the management commands to the device, the control unit being configured to determine whether to send the commands to the device for execution, based on whether a security level assigned to a communication path to and from the device meets or exceeds an execution security level required for execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
- View Dependent Claims (10)
- - 10. A management computer of claim 9, further comprising a memory that stores tables indicating the security levels assigned to the communication paths and the execution security levels required for the execution of the management commands.

11. A computer system comprising:
- a computer, a storage subsystem, a connection control unit that controls the connection between the computer and the storage subsystem, and a management computer that manages the computer, the storage subsystem, and the connection control unit;
  
  wherein the management computer comprises a control unit that issues management commands for managing the computer, the storage subsystem, or the connection control unit, these three being generically called a device, and an interface unit that sends the management commands to the device; and
  
  wherein each of the devices comprises an interface unit that receives the management commands from the computer and a control unit that determines whether to execute, the management commands based on whether a security level assigned to a type of communication path between the management computer and the device meets or exceeds an execution security level for execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
- View Dependent Claims (12)
- - 12. A computer system of claim 11, wherein the device further comprises a memory that stores tables indicating the security levels of the communication paths and the security levels required for the execution of the commands.

13. A computer readable storage medium having a program for managing access requests for a storage subsystem having a data storage area, the program comprising:
- code for receiving management commands from a management computer;
  
  code for determining whether to permit execution of the management commands against the data storage area based on whether an assigned security level of the communication path to and from the management computer meets or exceeds an execution security level required for the execution of the management commands, the assigned security level being determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem; and
  
  code for executing the management commands against the data storage area when the execution is determined to be permitted.
- View Dependent Claims (14)
- - 14. A computer-readable storage medium of claim 13, wherein the storage medium is readable by the storage subsystem.

15. An access management method for managing access requests for a storage subsystem comprising:
- receiving management commands from a management computer;
  
  determining whether to permit execution of the management commands against a storage area of the storage subsystem based on whether an assigned security level of the communication path to and from the management computer meets or exceeds an execution security level required for the execution of the management commands, the assigned security level being determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem; and
  
  executing the management commands against the storage area when the execution is determined to be permitted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kaneda, Yasunori, Fujita, Takahiro
Primary Examiner(s)
Moise; Emmanuel L.
Assistant Examiner(s)
Nguyen; Minh Dieu

Application Number

US10/637,994
Publication Number

US 20040111391A1
Time in Patent Office

1,467 Days
Field of Search

726 2- 3, 726/27, 707/9
US Class Current

726/27
CPC Class Codes

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

Y10S 707/99939   Privileged access

Command processing system by a management agent

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Command processing system by a management agent

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links