Command processing system by a management agent
First Claim
1. A computer system comprising:
- a computer, a storage subsystem, and a management computer,wherein the management computer comprises a control unit that issues management commands for managing the computer or the storage subsystem and an interface unit that sends the management commands to the computer or the storage subsystem;
wherein the storage subsystem comprises an interface unit that receives management commands from the management computer and a control unit that determines whether to permit execution of the management commands against part or all of a storage area of the storage subsystem, based on a type of a communication path between the management computer and the storage subsystem; and
wherein the type of communication path includes a security level assigned to that communication path, and the determination whether to permit execution of the management commands includes determining whether the security level of the communication path meets or exceeds an execution security level of the management command, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
1 Assignment
0 Petitions
Accused Products
Abstract
In a system where a management application sends commands to a remotely-located agent over a network, the agent maintains a security specification table defining the security level for each combination of the cipher and authentication algorithms of the communication path to/from the management application and a required security level table defining the minimum security level required for the execution of each command. Upon receiving a command from the management application, the agent obtains, by referencing these tables, the operational security level of the communication path and the required security level for the command, and executes the command only if the former is greater than or equal to the latter. This mechanism ensures high security in system management by preventing a malicious intruder from executing potent commands that can cause a down of a computer system, without unreasonably limiting the use of the management application by the system administrator.
-
Citations
15 Claims
-
1. A computer system comprising:
-
a computer, a storage subsystem, and a management computer, wherein the management computer comprises a control unit that issues management commands for managing the computer or the storage subsystem and an interface unit that sends the management commands to the computer or the storage subsystem; wherein the storage subsystem comprises an interface unit that receives management commands from the management computer and a control unit that determines whether to permit execution of the management commands against part or all of a storage area of the storage subsystem, based on a type of a communication path between the management computer and the storage subsystem; and wherein the type of communication path includes a security level assigned to that communication path, and the determination whether to permit execution of the management commands includes determining whether the security level of the communication path meets or exceeds an execution security level of the management command, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A storage subsystem comprising:
-
a data storage area, an interface unit that receives management commands from a management computer, and a control unit that determines whether to permit execution of the management commands against the data storage area, based on whether an assigned security level of a communication path meets or exceeds an execution security level required for the execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem.
-
-
9. A management computer for managing a computer, a storage subsystem, and a connection control unit that controls a connection between the computer and the storage subsystem, each of these three being generically called a device, the management computer comprising:
-
a control unit that issues management commands for managing the device, and an interface unit that sends the management commands to the device, the control unit being configured to determine whether to send the commands to the device for execution, based on whether a security level assigned to a communication path to and from the device meets or exceeds an execution security level required for execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem. - View Dependent Claims (10)
-
-
11. A computer system comprising:
-
a computer, a storage subsystem, a connection control unit that controls the connection between the computer and the storage subsystem, and a management computer that manages the computer, the storage subsystem, and the connection control unit; wherein the management computer comprises a control unit that issues management commands for managing the computer, the storage subsystem, or the connection control unit, these three being generically called a device, and an interface unit that sends the management commands to the device; and wherein each of the devices comprises an interface unit that receives the management commands from the computer and a control unit that determines whether to execute, the management commands based on whether a security level assigned to a type of communication path between the management computer and the device meets or exceeds an execution security level for execution of the management commands, wherein the level of security of the communication path is determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem. - View Dependent Claims (12)
-
-
13. A computer readable storage medium having a program for managing access requests for a storage subsystem having a data storage area, the program comprising:
-
code for receiving management commands from a management computer; code for determining whether to permit execution of the management commands against the data storage area based on whether an assigned security level of the communication path to and from the management computer meets or exceeds an execution security level required for the execution of the management commands, the assigned security level being determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem; and code for executing the management commands against the data storage area when the execution is determined to be permitted. - View Dependent Claims (14)
-
-
15. An access management method for managing access requests for a storage subsystem comprising:
receiving management commands from a management computer;
determining whether to permit execution of the management commands against a storage area of the storage subsystem based on whether an assigned security level of the communication path to and from the management computer meets or exceeds an execution security level required for the execution of the management commands, the assigned security level being determined by a kind of cipher algorithm selected in establishing the communication path between the management computer and the storage subsystem; and
executing the management commands against the storage area when the execution is determined to be permitted.
Specification