Method and apparatus for enhanced computer security
First Claim
1. A computer system, comprising:
- a first storage apparatus which provides a first logical volume from/to which a host apparatus reads and writes data; and
a second storage apparatus that includes an external connection function which provides a second logical volume obtained by virtualizing the first logical volume of the first storage apparatus, to the host apparatus and provides a third logical volume, wherein the second storage apparatus is configured to copy data from the second logical volume to the third logical volume as receiving an access request to the second logical volume,the first logical volume being reserved when the host apparatus accesses the first logical volume,wherein the second storage apparatus;
receives a first registration-target key from the host apparatus, transmits, to the first storage apparatus, a first command containing the first registration-target key, and first path information, which relates to a path from the host apparatus to the second logical volume, in response to a key registration request from the host apparatus to the effect that a key is to be registered for the second logical volume,receives a reservation request that includes a second key from the host apparatus,transmits, to the first storage apparatus, a second command containing the second key, and second path information to reserve the second logical volume, which relates to a path from the host apparatus to the second logical volume, in response to the reservation request from the host apparatus to the effect that the second logical volume is to be reserved, andtransmits, from the second storage apparatus to the first storage apparatus, a third command containing third path information, which relates to a path from the host apparatus to the second logical volume, in response to an access request for access to the second logical volume from the host apparatus, and wherein the first storage apparatus;
upon receiving the first command, stores the first key and the first path information contained in the first command as reservation information in association with the first key registration-target logical volume,upon receiving the second command, compares the first key and the first path information, which are contained in reservation information stored in association with the first logical volume which is a reservation target, with the second key and the second path information which are contained in the second command and, when there is a match between the first key and the first path information and the second key and the second path information, reserves the first logical volume for use by the host apparatus, and,upon receiving the third command, compares the first path information, which is contained in the reservation information stored in association with the first logical volume which is an access target, with the third path information which is contained in the third command and, when there is a match between the first and third path information, access from the host apparatus is granted via the second storage apparatus,wherein the second storage apparatus is configured to transmit a fourth command that corresponds to the reservation cancellation request to the first storage apparatus in response to a mapping cancellation request,upon receiving the fourth command, the first storage apparatus is configured to transmit the corresponding reservation information stored for the corresponding first logical volume to the second logical volume,wherein the second storage apparatus is configured to rewrite the reservation information transmitted by the first storage apparatus, andwherein the second storage apparatus is configured to process the access restrictions using the rewritten reservation information.
1 Assignment
0 Petitions
Accused Products
Abstract
A computer system and an access restriction method may be used to enable security and improve reliability. The computer system includes a first storage apparatus and a second storage apparatus. The first storage apparatus provides a first logical volume from/to which a host apparatus reads and writes data, and the second storage apparatus provides a virtual second logical volume obtained by virtualizing the first logical volume of the first storage apparatus to the host apparatus. The first path information relates to a path from the host apparatus to the second logical volume registered in the first storage apparatus in association with the first logical volume of the first storage apparatus. Reservation of and access to the first logical volume is granted only for a reservation request and access request with matching path information from the host apparatus.
10 Citations
6 Claims
-
1. A computer system, comprising:
-
a first storage apparatus which provides a first logical volume from/to which a host apparatus reads and writes data; and a second storage apparatus that includes an external connection function which provides a second logical volume obtained by virtualizing the first logical volume of the first storage apparatus, to the host apparatus and provides a third logical volume, wherein the second storage apparatus is configured to copy data from the second logical volume to the third logical volume as receiving an access request to the second logical volume, the first logical volume being reserved when the host apparatus accesses the first logical volume, wherein the second storage apparatus; receives a first registration-target key from the host apparatus, transmits, to the first storage apparatus, a first command containing the first registration-target key, and first path information, which relates to a path from the host apparatus to the second logical volume, in response to a key registration request from the host apparatus to the effect that a key is to be registered for the second logical volume, receives a reservation request that includes a second key from the host apparatus, transmits, to the first storage apparatus, a second command containing the second key, and second path information to reserve the second logical volume, which relates to a path from the host apparatus to the second logical volume, in response to the reservation request from the host apparatus to the effect that the second logical volume is to be reserved, and transmits, from the second storage apparatus to the first storage apparatus, a third command containing third path information, which relates to a path from the host apparatus to the second logical volume, in response to an access request for access to the second logical volume from the host apparatus, and wherein the first storage apparatus; upon receiving the first command, stores the first key and the first path information contained in the first command as reservation information in association with the first key registration-target logical volume, upon receiving the second command, compares the first key and the first path information, which are contained in reservation information stored in association with the first logical volume which is a reservation target, with the second key and the second path information which are contained in the second command and, when there is a match between the first key and the first path information and the second key and the second path information, reserves the first logical volume for use by the host apparatus, and, upon receiving the third command, compares the first path information, which is contained in the reservation information stored in association with the first logical volume which is an access target, with the third path information which is contained in the third command and, when there is a match between the first and third path information, access from the host apparatus is granted via the second storage apparatus, wherein the second storage apparatus is configured to transmit a fourth command that corresponds to the reservation cancellation request to the first storage apparatus in response to a mapping cancellation request, upon receiving the fourth command, the first storage apparatus is configured to transmit the corresponding reservation information stored for the corresponding first logical volume to the second logical volume, wherein the second storage apparatus is configured to rewrite the reservation information transmitted by the first storage apparatus, and wherein the second storage apparatus is configured to process the access restrictions using the rewritten reservation information. - View Dependent Claims (2, 3)
-
-
4. An access restriction method of a computer system which comprises a first storage apparatus which provides a first logical volume from/to which a host apparatus reads and writes data, and a second storage apparatus that includes an external connection function which provides a second logical volume obtained by virtualizing the first logical volume of the first storage apparatus, to the host apparatus and provides a third logical volume, wherein the second storage apparatus is configured to copy data from the second logical volume to the third logical volume as receiving an access request to the second logical volume, the first logical volume being reserved when the host apparatus accesses the first logical volume,
the access restriction method comprising: -
receiving, by the second storage apparatus, a key registration request that includes a first registration-target key from the host apparatus, transmitting, by the second storage apparatus to the first storage apparatus, in response to the key registration request from the host apparatus to the effect that a key is to be registered for the second logical volume, a first command containing the first registration-target key, and first path information, which relates to a path from the host apparatus to the second logical volume and, upon receiving the first command, the first storage apparatus stores the first key and the first path information contained in the first command as reservation information in association with the first key registration-target logical volume; receiving a reservation request that includes a second key from the host apparatus; transmitting, by the second storage apparatus to the first storage apparatus, in response to the reservation request from the host apparatus to the effect that the second logical volume is to be reserved, a second command containing a second key, which is supplied by the host apparatus, and second path information to reserve the second logical volume, which relates to a path from the host apparatus to the second logical volume and, upon receiving the second command, compares the first key and the first path information, which are contained in reservation information stored in association with the first logical volume which is a reservation target, with the second key and the second path information which are contained in the second command and, when there is a match between the first key and the first path information and the second key and the second path information, reserves the first logical volume for use by the host apparatus; and transmitting, by the second storage apparatus to the first storage apparatus, in response to an access request for access to the second logical volume from the host apparatus, a third command containing third path information which relates to a path from the host apparatus to the second logical volume and, upon receiving the third command, the first storage apparatus compares the first path information, which is contained in the reservation information stored in association with the first logical volume which is an access target, with the third path information which is contained in the third command and, when there is a match between the first and third path information, granting access from the host apparatus via the second storage apparatus, transmitting, by the second storage apparatus, a fourth command that corresponds to the reservation cancellation request to the first storage apparatus in response to a mapping cancellation request, receiving, at the first storage apparatus, the fourth command, transmitting, by the first storage apparatus, the corresponding reservation information stored for the corresponding first logical volume to the second logical volume, rewriting, by the second storage apparatus, the reservation information transmitted by the first storage apparatus, and processing, by the second storage apparatus, the access restrictions using the rewritten reservation information. - View Dependent Claims (5, 6)
-
Specification