Secure storage system

US 7,346,670 B2
Filed: 01/27/2003
Issued: 03/18/2008
Est. Priority Date: 06/11/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A storage system having a storage device and a client connected to a virtual private network (“

VPN”

) using the storage device, the system comprising;

a management apparatus that manages the storage device by means of a logical volume assigned to the storage device;

a conversion apparatus that converts between a protocol corresponding to the storage device and a protocol used for the virtual private network; and

a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure storage system for securely accessing a storage device on a network and improving volume management scalability, consisting of a client having a VPN capability; a storage device in an SAN; a management apparatus having a means for managing a storage capacity and a logical volume allocated to the storage device; a converter for converting a protocol used in the SAN to a protocol used in a LAN/MAN/WAN and vice versa; and a conversion apparatus having the VPN capability. A VPN is provided between the client and the conversion apparatus. The conversion apparatus is provided with a mapping between the VPN and an access range of the storage device. A VPN-ID is used for identifying the VPN. An address in the logical volume is used for the access range of the storage device.

42 Citations

View as Search Results

20 Claims

1. A storage system having a storage device and a client connected to a virtual private network (“
- VPN”
  
  ) using the storage device, the system comprising;
  
  a management apparatus that manages the storage device by means of a logical volume assigned to the storage device;
  
  a conversion apparatus that converts between a protocol corresponding to the storage device and a protocol used for the virtual private network; and
  
  a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 19)
- - 2. The storage system according to claim 1, wherein the mapping means stores an entry specifying correspondence between the VPN identifier and identification information about the storage device having the logical volume and an access address range of the logical volume specified for the storage device.
  - 3. The storage system according to claim 2, wherein the management apparatus assigns the client the logical volume specified for the storage device, the access address range in the logical volume, and the VPN identifier.
  - 4. The storage system according to claim 2, wherein the management apparatus comprises:
    - a virtual private network setup means for configuring a virtual private network between the client and the conversion apparatus by using the VPN identifier;
      
      a virtual private network management means for managing the conversion apparatus, the storage device, and the virtual private network; and
      
      an entry setup means for allowing the mapping means to store correspondence between a virtual private network allocated to the client and an access address range of the storage device for the virtual private network when the client uses the storage device.
  - 5. The storage system according to claim 2, further comprising:
    - a network controller to configure a virtual private network using the VPN identifier, whereinthe management apparatus has a virtual private network setup request means for allowing the network controller to configure a virtual private network using the VPN identifier; and
      
      the network controller configures the virtual private network over a plurality of networks according to a request from the virtual private network setup request means.
  - 6. The storage system according to claim 2, wherein the network controller sets communication quality for traffic having the VPN identifier and ensures communication quality of the virtual private network.
  - 7. The storage system according to claim 5, further comprising:
    - a network node having a network correspondence means for making correspondence between a virtual network assigned to a network and the virtual private network, whereinthe network controller comprises a virtual network management means for managing correspondence between the virtual private network and a virtual network.
  - 8. The storage system according to claim 2, whereinthe client connects to the conversion apparatus via the virtual private network by using identification information about the conversion apparatus and the VPN identifier, both sent from the management apparatus;
    - andthe management apparatus makes connection from the client to the storage device based on a result of authentication about the client by using the virtual private network.
  - 9. The storage system according to claim 1, further comprising:
    - a backup storage device that temporarily stores information stored in a logical volume specified for the storage device; and
      
      a backup conversion apparatus that converts a protocol for the backup storage device and a protocol used for the virtual private network, whereinthe management apparatus comprises a backup entry setup means for storing identification information about the backup conversion apparatus in the mapping means when the client uses the logical volume.
  - 10. The storage system according to claim 9, wherein the conversion apparatus comprises a data transfer means for transferring data to the backup storage device from the backup conversion apparatus when an error occurs in the storage device.
  - 11. The storage system according to claim 1, whereinthe management apparatus includes a virtual volume generation means for generating a virtual volume comprising one or more logical volumes;
    - the mapping means stores an offset address for converting an address of the virtual volume to an address of the logical volume;
      
      the conversion apparatus includes an address conversion means for converting an address of the virtual volume to an address of the logical volume; and
      
      the address conversion means allocates the virtual volume to an unused area in the storage device.
  - 19. The storage system according to claim 1, wherein said VPN identifier allocated to the client is used to prevent an unauthorized access from another client having no access privilege to said access address range.

12. A conversion apparatus connected to a storage device, whereinthe conversion apparatus is connected to a client using the storage device via a virtual private network (“
- VPN”
  
  ), wherein the conversion apparatus comprises;
  
  a protocol conversion means for converting between a protocol corresponding to the storage device and a protocol used for the virtual private network; and
  
  a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network.
- View Dependent Claims (13, 14, 20)
- - 13. The conversion apparatus according to claim 12, wherein the mapping means stores an entry specifying correspondence between the VPN identifier and identification information about the storage device having the logical volume and an access address range of the logical volume specified for the storage device.
  - 14. The conversion apparatus according to claim 12, whereinthe conversion apparatus is connected to a backup conversion apparatus that converts a protocol for a backup storage device to temporarily store information stored in a logical volume specified for the storage device and a protocol used for the virtual private network;
    - andthe conversion apparatus includes a data transfer means for transferring data to the storage device from the backup conversion apparatus when an error occurs in the storage device.
  - 20. The conversion apparatus according to claim 12, wherein said VPN identifier allocated to the client is used to prevent an unauthorized access from another client having no access privilege to said access address range.

15. A storage system comprising a storage device, a client connected to a virtual private network (“
- VPN”
  
  ), a management apparatus that manages the storage device by means of a logical volume assigned to the storage device, a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network, a conversion apparatus that is connected to the client via the virtual private network and converts between a protocol for the storage device and a protocol used for the virtual private network, and the mapping means that stores the VPN identifier allocated to the client and the access address range in the logical volume of the storage device corresponding to the virtual private network, whereinthe conversion apparatus, upon reception of an access request from the client via the virtual private network, writes data to the storage device connected to the conversion apparatus based on a check result of the VPN identifier; and
  
  the conversion apparatus, upon reception of a response for write termination from the storage device, returns the response for write termination to the client to terminate a process to write data from the client.

16. A storage system comprising a storage device, a client connected to a virtual private network (“
- VPN”
  
  ), a management apparatus that manages the storage device by means of a logical volume assigned to the storage device, a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network, a conversion apparatus that is connected to the client via the virtual private network and converts between a protocol for the storage device and a protocol used for the virtual private network, and a backup conversion apparatus that is connected to the conversion apparatus and a backup storage device and that converts between a protocol for the backup storage device and a protocol used for the conversion apparatus, whereinthe conversion apparatus, upon reception of an access request from the client via the virtual private network, sends the access request to the backup conversion apparatus specified in a conversion table based on a first check result of the VPN identifier;
  
  the conversion apparatus writes data to the storage device connected to the conversion apparatus;
  
  the conversion apparatus, upon reception of a response for write termination from the storage device, returns the response for write termination to the client;
  
  the backup conversion apparatus, upon reception of an access request from the conversion apparatus, writes data to the backup storage device connected to the backup conversion apparatus based on a second check result of the VPN identifier and, upon reception of a response for write termination from the backup storage device, returns the response for write termination to the conversion apparatus; and
  
  the conversion apparatus, upon reception of a response from the backup conversion apparatus, terminates the process to write data from the client.

17. A storage system comprising a storage device, a client connected to a virtual private network (“
- VPN”
  
  ), a management apparatus that manages the storage device by means of a logical volume assigned to the storage device, a mapping means that stores a VPN identifier allocated to the client and an access address range in the logical volume of the storage device corresponding to the virtual private network, a conversion apparatus that is connected to the client via the virtual private network and converts between a protocol for the storage device and a protocol used for the virtual private network, and a backup conversion apparatus that is connected to the conversion apparatus and a backup storage device and that converts between a protocol for the backup storage device and a protocol used for the conversion apparatus, whereinthe conversion apparatus, upon reception of an access request from the client via the virtual private network, sends a request to read data to the storage device connected to the conversion apparatus based on a first check result of the VPN identifier;
  
  the conversion apparatus, upon unsuccessful reception of data from the storage device, sends an access request to the backup conversion apparatus connected to the conversion apparatus;
  
  the backup conversion apparatus, upon reception of an access request from the conversion apparatus, reads data from the backup storage device connected to the backup conversion apparatus based on a second check result of the VPN identifier and, upon reception of data from the backup storage device, sends the data from the backup storage device to the conversion apparatus; and
  
  the conversion apparatus, upon reception of data from the backup conversion apparatus, sends the data from the backup storage device to the client.
- View Dependent Claims (18)
- - 18. The storage system according to claim 17, whereinthe conversion apparatus, upon unsuccessful reception of data from the storage device, sends error information about the storage device to the management apparatus;
    - andthe management apparatus changes a logical volume setting for the storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Kitani, Makoto, Hoshino, Kazuyoshi, Akahane, Shinichi, Mizutani, Masahiko, Miyagi, Morihito
Primary Examiner(s)
Follansbee; John
Assistant Examiner(s)
DENNISON, JERRY B

Application Number

US10/351,382
Publication Number

US 20030229690A1
Time in Patent Office

1,877 Days
Field of Search

709/223, 709/225, 709/232, 711/147, 711/152, 711/153, 707/2, 707/10, 707/200, 707/202
US Class Current

709/219
CPC Class Codes

G06F 11/2094   Redundant storage or storag...

G06F 11/2097   maintaining the standby con...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 41/0803   Configuration setting

H04L 63/0272   Virtual private networks

H04L 63/083   using passwords cryptograph...

H04L 67/1097   for distributed storage of ...

H04L 69/08   Protocols for interworking;...

Secure storage system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

42 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Secure storage system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

42 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links