Tape failover across a cluster

US 8,160,257 B1
Filed: 11/02/2010
Issued: 04/17/2012
Est. Priority Date: 11/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a primary path and a secondary path from a host to a backup system, wherein a first security appliance, comprising a processor, is logically interconnected on the primary path between the host and the backup system and a second security appliance is logically interconnected on the secondary path between the host and the backup system;

intercepting, by the first security appliance, data sent on the primary path between the host and the backup system, wherein the first security appliance utilizes an encryption key to perform at least one of encrypting the data and decrypting the data sent on the primary path; and

broadcasting, by the first security appliance, the encryption key to the second security appliance over a communication channel between the first security appliance and the second security appliance in response to generating the encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security appliance that encrypts and decrypts information is installed in each of redundant multi-paths between a host system and a back up tape storage system. The host system is arranged to detect failures in a primary path to the tape system being used. When the failure is detected, the host system enables transfers to the same tape system through an alternative path. Encryption keys and host/tape designators (identifiers) are broadcast among the security appliances in the alternative data paths. When the host system switches from the primary path to the secondary path, even though the secondary security appliance did not generate the encryption keys, the secondary path security appliance will have such keys and will properly encrypt and transfer data from the host to the tape system. The secondary will also properly retrieve encrypted data from the tape system, decrypt it and deliver it to the host. All of these operations will be transparent (invisible) to a running application in the host.

Citations

20 Claims

1. A method comprising:
- establishing a primary path and a secondary path from a host to a backup system, wherein a first security appliance, comprising a processor, is logically interconnected on the primary path between the host and the backup system and a second security appliance is logically interconnected on the secondary path between the host and the backup system;
  
  intercepting, by the first security appliance, data sent on the primary path between the host and the backup system, wherein the first security appliance utilizes an encryption key to perform at least one of encrypting the data and decrypting the data sent on the primary path; and
  
  broadcasting, by the first security appliance, the encryption key to the second security appliance over a communication channel between the first security appliance and the second security appliance in response to generating the encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein broadcasting the encryption key to the second security appliance further comprises routinely broadcasting the encryption key to the second security appliance.
  - 3. The method of claim 1 further comprising:
    - labeling the host and the backup system with logical designators, and broadcasting the logical designators to the second security appliance.
  - 4. The method of claim 3 wherein the logical designators include a World Wide Number and a logical Unit Number.
  - 5. The method of claim 1 further comprising generating the encryption key when the backup system is initialized.
  - 6. The method of claim 1 wherein the first security appliance generates the encryption key.
  - 7. The method of claim 1 further comprising:
    - generating the encryption key at a storage encryption server; and
      
      retrieving the encryption key from the storage encryption server by the first security appliance.
  - 8. The method of claim 1 further comprising:
    - detecting an error in the sent data along the primary path;
      
      in response to the detecting, disabling the first security appliance logically interconnected on the primary path; and
      
      enabling the second security appliance in the secondary path to encrypt and decrypt data between the host and the backup system.
  - 9. The method of claim 1 wherein the backup system is a tape backup system.

10. A system comprising:
- at least two security appliances each comprising a processor and a memory, with a first security appliance logically interconnected on a primary path and a second security appliance logically interconnected on a secondary path between a host and a backup system, wherein the first and second security appliances use an encryption key to perform at least one of encrypting data and decrypting data on the primary path and the secondary path;
  
  a communication channel between the first and second security appliances; and
  
  wherein when the backup system is initialized, the encryption key is generated in the first security appliance logically interconnected on the primary path, and the generated encryption key is broadcast to the second security appliance via the communication channel.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10 further comprising routinely broadcasting the encryption key to the second security appliance.
  - 12. The system of claim 10 further comprising:
    - additional security appliances connected to the communications channel, and arranged between other hosts and other backup systems;
      
      storage in the first and second security appliances and the additional security appliances, wherein the storage contains logic designators of each of the hosts and the backup systems; and
      
      wherein when the backup system is initialized, the first security appliance broadcasts the encryption information and the designators of the host and backup system associated with the primary path.
  - 13. The system of claim 12 wherein the logical designators include a World Wide Number and a Logical Unit Number.
  - 14. The system of claim 10 wherein the first security appliance generates the encryption key.
  - 15. The system of claim 10 further comprising a source of encryption keys, wherein when the backup system is initialized, the first security appliance retrieves encryption keys from the source.
  - 16. The system of claim 10 wherein the first security appliance stores encryption information onto the backup system when the backup system is initialized.
  - 17. The system of claim 10 wherein the host system determines that an error has occurred along the primary path, wherein the host system disables the first security appliance logically interconnected on the primary path and enables the second security appliance logically interconnected on the secondary path.
  - 18. The system of claim 10 wherein the backup system is a tape backup system.

19. A non-transitory computer readable medium containing executable program instructions executable by a processor, comprising:
- program instructions that establish a primary path and a secondary path from a host to a backup system, wherein a first security appliance is logically interconnected on the primary path between the host and the backup system and a second security appliance is logically interconnected on the secondary path between the host and the backup system;
  
  program instructions that intercept data sent on the primary path between the host and the backup system, wherein the first security appliance utilizes an encryption key to perform at least one of encrypting the data and decrypting the data sent on the primary path; and
  
  program instructions that broadcast the encryption key from the first security appliance to the second security appliance over a communication channel between the first security appliance and the second security appliance in response to generating the encryption key.
- View Dependent Claims (20)
- - 20. The non-transitory computer readable medium of claim 19 further comprising:
    - program instructions that detect an error in the sent data along the primary path;
      
      program instructions that disable the first security appliance logically interconnected on the primary path; and
      
      program instructions that enable the second security appliance in the secondary path to encrypt and decrypt data between the host and the backup system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NetApp, Inc.
Original Assignee
NetApp, Inc.
Inventors
Chaudhary, Anant, Narver, Andrew
Primary Examiner(s)
MOORTHY, ARAVIND K

Application Number

US12/917,723
Time in Patent Office

532 Days
Field of Search

380/278, 713/153, 713/165, 713/189, 726/26, 711/4, 711/100, 711/162, 711/163, 707/609, 707/641, 707/670, 707/687, 707/821
US Class Current

380/278
CPC Class Codes

G06F 11/1456   Hardware arrangements for b...

G06F 11/1464   for networked environments

G06F 11/1469   Backup restoration techniques

G06F 11/2005   using redundant communicati...

G06F 11/201   between storage system comp...

G06F 21/85   interconnection devices, e....

G06F 2221/2105   Dual mode as a secondary as...

G06F 2221/2147   Locking files

G09C 1/00   Apparatus or methods whereb...

G11B 20/1883   Methods for assignment of a...

G11B 2220/90   Tape-like record carriers

H04L 2209/12   Details relating to cryptog...

H04L 63/061   for key exchange, e.g. in p...

H04L 69/14   Multichannel or multilink p...

H04L 69/40   for recovering from a failu...

H04L 9/0827   involving distinctive inter...

H04L 9/0894   Escrow, recovery or storing...

Tape failover across a cluster

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Tape failover across a cluster

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links