Hitachi Storage Navigator Modular 2 User Guide
Have a look at the manual Hitachi Storage Navigator Modular 2 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 913 Hitachi manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Advanced Functions10–3 Hitachi Storage Navigator Modular 2 User’s Guide FE80::/64. The last 64 bits of the IPv6 address is referred to as the interface identifier. It is derived from the 48-bit Media Access Channel (MAC) address of the NIC. To create the IPv6 interface identifier from the 48-bit (6-byte) Ethernet MAC address: • The hexadecimal digits 0xFF-FE are inserted between the third and fourth bytes of the MAC address. • The Universal/Local bit (the second low-order bit of the first byte of the MAC address) is complemented. If it is a 1, it is set to 0; if it is a 0, it is set to 1. For example, for the MAC address of 00-60-08-52-F9-D8: • The hexadecimal digits 0xFF-FE are inserted between 0x08 (the third byte) and 0x52 (the fourth byte) of the MAC address, forming the 64- bit address of 00-60-08-FF-FE-52-F9-D8. • The Universal/Local bit, the second low-order bit of 0x00 (the first byte) of the MAC address, is complemented. The second low-order bit of 0x00 is 0 which, when complemented, becomes 1. The result is that for the first byte, 0x00 becomes 0x02. As a result, the IPv6 interface identifier that corresponds to the Ethernet MAC address of 00-60-08-52-F9-D8 is 02-60-08-FF-FE-52-F9-D8. The link-local address of a node is the combination of the prefix FE80::/64 and the 64-bit interface identifier expressed in colon-hexadecimal notation. As a result, the link-local address of this example node, with the prefix FE80::/64 and the interface identifier 02-60-08-FF-FE-52-F9-D8, is FE80::260:8FF:FE52:F9D8. NOTE:If you use IPv6 addresses with your storage system, we recommend you set IP addresses manually on the Navigator 2 Set up Management Ports window. If you select Use DHCP in the Navigator 2 Set up Management Port window, the IPv6 address changes if you replace storage systems, since the IPv6 address is created based on the storage system’s MAC address. This will require you to perform the Navigator 2 search array and registration. TIP:For the range of the IPv6 address set manually, use the global unicast address 2001::/16.
10–4Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
You can view your link local address using the netsh interface ipv6 show
interface command. When you run this command without any additional
parameters, a list similar to the following appears:
For more detailed output, you can designate a connection name as a
command parameter (for example, netsh interface ipv6 show interface
“Local Area Connection 2). Using the interface parameter (with either
an interface name or an interface index number) results in the following
output, which includes the link local address for the connection:
In this example, Interface 4 is an interface that corresponds to an installed
Ethernet adapter with a link-local address of FE80::2C0:4FFF:FE19:BAD3.
Router discovery
IPv6 solves many problems related to the interaction between nodes that
are attached to the same link. To accomplish this, an IPv6 host “advertises”
its presence, various link parameters, and various Internet parameters
using router discovery — an exchange of Router Solicitation and Router
Advertisement messages — to ascertain additional addresses and
configuration settings.
Idx
___Met
___MTU
___State
__________Name
__________
501500ConnectedLocal Area Connection
401500ConnectedLocal Area Connection 2
311280Connected6to4 Tunneling Pseudo-Interface
201280ConnectedAutomatic Tunneling Pseudo-Interface
101500ConnectedLoopback Pseudo-Interface
Interface 4: Local Area Connection 2
Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Temporary Preferred 6d4h41m33s 4h38m46s 3ffe:2900:d005:f282:4063:32a8:5c81:62f2
Temporary Deprecated 5d4h44m24s 0s 3ffe:2900:d005:f282:cd74:3dd7:857b:b57
Temporary Deprecated 4d4h47m16s 0s 3ffe:2900:d005:f282:d880:d193:f2dd:d929
Temporary Deprecated 3d4h50m7s 0s 3ffe:2900:d005:f282:7482:2f05:8129:54ba
Temporary Deprecated 2d4h52m59s 0s 3ffe:2900:d005:f282:d530:25de:57b:7ee0
Temporary Deprecated 1d4h55m50s 0s 3ffe:2900:d005:f282:c58c:4290:22c6:7b3b
Temporary Deprecated 4h58m42s 0s 3ffe:2900:d005:f282:8464:acf0:8393:cf6
Public Preferred 29d23h57m19s 6d23h57m19s fec0::f282:2c0:4fff:fe19:bad3
Public Preferred 29d23h57m19s 6d23h57m19s 3ffe:2900:d005:f282:2c0:4fff:fe19:bad3
Link Preferred infinite infinite fe80::2c0:4fff:fe19:bad3
Connection Name : Local Area Connection 2
GUID : {433F15CA-E3FD-4DE4-B3FF-7EF4B30CA4E7}
State : Connected
Metric : 0
Link MTU : 1500 bytes
True Link MTU : 1500 bytes
Current Hop Limit : 64
Reachable Time : 4h43m20s
Base Reachable Time : 8h20m
Retransmission Interval : 16m40s
DAD Transmits : 1
DNS Suffix : example.microsoft.com
Zone ID for Link : 4
Zone ID for Site : 1
Uses Neighbor Discovery : Yes
Sends RAs : No
Forwards Packets : No
Link-Layer Address : 00-c0-4f-19-ba-d3
Advanced Functions10–5 Hitachi Storage Navigator Modular 2 User’s Guide To accomplish this, routers “advertise” their presence, various link parameters, and various Internet parameters. Routers advertise either periodically, or in response to a router solicitation message. Router advertisements contain prefixes that are used for on-link determination or address configuration, a suggested hop limit value, and other purposes. If you need to change the contents of a router advertisement for a host attached to the storage system, use the command set Router Lifetime and specify an expiration date of 0 to disable the previous router advertisement. Otherwise, you will have to perform the Navigator 2 search array and registration. Temporary addresses Computers running Microsoft Windows Vista or Windows Server 2008 by default generate random interface IDs for non-temporary auto-configured IPv6 addresses, including public and link-local addresses, instead of EUI-64- based interface IDs. As a public IPv6 address is a global address that is registered in DNS and is typically used by server applications for incoming connections, such as a Web server. This default setting can cause many temporary addresses to be registered in the hot, increasing processing times. Therefore, we recommend you check the temporary addresses and, if there are many, disable them. To check whether a temporary addresses is enabled or disabled, type the following command from the command prompt. To disable temporary addresses, type the following command: Type the following command to return them to Enabled. Connection methods The following examples show connections between the storage system and the computer in which Navigator 2 has been installed. Example 1 Figure 10-1 on page 10-6 shows a configuration where a computer with Navigator 2 and the computer have the same IPv6 addresses.C:\> netsh interface ipv6 show privacy C:\> netsh interface ipv6 set privacy disable C:\> netsh interface ipv6 set privacy enable
10–6Advanced Functions Hitachi Storage Navigator Modular 2 User’s Guide Figure 10-1: Sample Configuration 1 In this configuration: • The storage system uses 2000/tcp and 28355/tcp to communicate with Navigator 2. If the storage system is connected directly to a computer, but cannot communicate through the router, the router can have blocked ports. In this case, configure the router to permit 2-way communication to ports. • IPv6 multicasting is used on the local link to search for the storage system’s IPv6 address. Prior to having Navigator 2 search for the storage system, configure the storage system and the computer in which Navigator 2 is installed to reside on the same link. • If the computer where Navigator 2 is installed has two or more NICs connected to separate network segments, Navigator 2 can only access the LAN whose addresses were specified when Navigator 2 was installed. Example 2 Figure 10-2 on page 10-7 shows a configuration where a computer with Navigator 2 and another computer are configured with different IPv6 addresses.
Advanced Functions10–7 Hitachi Storage Navigator Modular 2 User’s Guide Figure 10-2: Sample Configuration 2 In this configuration: • The storage system uses 2000/tcp and 28355/tcp to communicate with Navigator 2. If the computer is connected directly to the storage system, but cannot communicate through the router, the router can have blocked ports. In this case, configure the router to permit 2-way communication to ports. • The computer in which Navigator 2 is installed (Computer A) uses 23015/tcp and 1099/tcp to communicate with Computer B. If Computer A can be connected directly to the storage system, but cannot communicate through the router, the router can have blocked ports. In this case, configure the router to permit 2-way communication to ports. • IPv6 multicasting is used on the local link to search for the storage system’s IPv6 address. Prior to having Navigator 2 search for the storage system, configure the storage system and the computer in which Navigator 2 is installed to reside on the same link. • If the computer where Navigator 2 is installed has two or more NICs connected to separate network segments, Navigator 2 can only access the LAN whose addresses were specified when Navigator 2 was installed. Using secure sockets layer If security is a concern, your management console can communicate with Navigator 2 using the Secure Sockets Layer (SSL) protocol. SSL ensures secure transactions between Navigator 2 and your management console’s Web browser. The protocol uses a third party, a Certificate Authority (CA), to identify one end or both end of the transactions. The following steps summarize how SSL works. 1. A browser requests a secure page (usually https://). 2. Navigator 2 sends its public key with its certificate.
10–8Advanced Functions Hitachi Storage Navigator Modular 2 User’s Guide 3. The browser checks that the certificate was issued by a trusted party (usually a trusted root CA), that the certificate is still valid and that the certificate is related to the site contacted. 4. The browser uses the public key to encrypt a random symmetric encryption key and sends it to the server with the encrypted URL required as well as other encrypted http data. 5. Navigator 2 decrypts the symmetric encryption key using its private key and uses the symmetric key to decrypt the URL and http data. 6. Navigator 2 sends back the requested html document and http data encrypted with the symmetric key. 7. The browser decrypts the http data and HTML document using the symmetric key and displays the information. Setting the certificate and private key We recommend that you use a server certificate and private key for SSL communications with Navigator 2. The following sections describe how to create and set the server certificate and private key. Stopping the Navigator 2 service or daemon process The first step when setting the certificate and private key for SSL communications is to stop the Navigator 2 service on Windows operating systems or to stop the Navigator 2 daemon process on Solaris and Linux operating systems. For more information, see Starting or stopping the Navigator 2 service or daemon process on page 10-15. Creating a private key The next step is to create a private key. Please refer to the appropriate section for your operating system. Creating a private key on Windows To create a private key on a Windows operating system 1. Create the directory where the private key will be output. 2. Open a command prompt and go to the following directory: \Base\bin 3. Type the following command line. The slanted text indicates a bit length for the key of 512, 1024, or 2048. hcmdssslc genrsa -out c:\ca\httpsdkey.pem
Advanced Functions10–9 Hitachi Storage Navigator Modular 2 User’s Guide The following shows an example of issuing this command line: 4. Type the following command line to create a certificate signing request (CSR): hcmdssslc req -config C:\Program Files\HiCommand\Base\httpsd\sslc\bin\demoCA\sslc.cnf -new -key c:\ca\httpsdkey.pem -out c:\ca\httpsd.csr 5. Submit the created CSR file (httpsd.csr in the above example) to the The following shows an example of issuing this command line: 6. Submit the created CSR file (httpsd.csr in the above example) to the CA and obtain the signed certificate. hcmdssslc genrsa -out c:\ca\httpsdkey.pem 2048 Loading entropy into random state - unable to load random state warning, not much extra random data, consider using the -rand option Generating 2 prime RSA private key, 2048 bit long modulus ..................................................................++ +++ ...........+++++ e is 65537 (0x10001) Using configuration from C:\Program Files\HiCommand\Base\httpsd\sslc\bin\demoCA\ sslc.cnf You will be prompted to enter information to incorporate into the certificate request. This information is called a Distinguished Name or a DN. There are many fields however some can remain blank. Some fields have default values. Enter ., to leave the field blank. ----- Country Name (2 letter code) []:us State or Province Name (full name) []:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) []:Hitachi Organizational Unit Name (eg, section) []:Hitachi Common Name (eg, YOUR name) []:Hitachi Email Address []: Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []: NOTE:If you do not submit the CSR file to or obtain the signed certificate file from the CA, you can still create the certificate file with your signature using the hcmdssslc command. However, a warning window appears when the initial Navigator 2 window and subsequent window appear.
10–10Advanced Functions Hitachi Storage Navigator Modular 2 User’s Guide 7. To create a self-signed certificate file, type the following command line: hcmdssslc x509 -in c:\ca\httpsd.csr -out c:\ca ewcert.pem -reg -signkey c:\ca\httpsdkey.pem -days 365 c:\ca\httpsd.csr: CSR to CA c:\ca ewcert.pem: self-signed certificate c:\ca\httpsdkey.pem: key file 8. Using a text editor, open the file httpsd.conf in \Base\httpsd\conf. 9. Delete the hash sign (#) from the following slanted lines, which are commented out by default. Change the values of SSLCertificateFile and SSLCertificateKeyFile: a. For SSLCertificateFile, specify the signed certificate file obtained from the CA. b. For SSLCertificateKeyFile, specify the full path of the private key file created earlier in this procedure. The contents of the file are shown below: 10. Start the service for Navigator 2 (see Starting the Navigator 2 server service or daemon process on page 10-20). 11. Start the service for Hitachi Storage Command Suite Common Components (see Starting the Hitachi Storage Command Suite common components on page 10-19). 12. If there are other products that use the Hitachi Storage Command Suite Common Components, start the daemon process for those applications (refer to the documentation for those applications). SSLSessionCacheSize 0 #Listen 23016 #Listen [::]:23016 # # ServerName s1j-orca2xp # SSLEnable # SSLProtocol SSLv3 TLSv1 # SSLRequireSSL # SSLCertificateFile C:/ca/httpsd.pem # SSLCertificateKeyFile C:/ca/httpsdkey.pem # SSLCACertificateFile C:/Program #Files/HiCommand/Base/httpsd/ conf/ssl/cacert/anycert.pem # SSLSessionCacheTimeout 3600 #
Advanced Functions10–11 Hitachi Storage Navigator Modular 2 User’s Guide Creating a private key on Solaris or Linux To create a private key on a Solaris or Linux operating system 1. Create the directory where the private key will be output. 2. Open a command prompt and go to the following directory: /Base/httpsd/sslc/bin 3. Type the following command line. The slanted text indicates a bit length for the key of 512, 1024, or 2048. sslc genrsa -out /ca/httpsdkey.pem The following shows an example of issuing this command line: 4. Type the following command line to create a certificate signing request (CSR): ./sslc req -config /opt/HiCommand/Base/httpsd/sslc/bin/ demoCA/sslc.cnf -new -key ca/httpsdkey.pem -out /ca/httpsd.csr The following shows an example of the result from executing this command line: hcmdssslc genrsa -out c:\ca\httpsdkey.pem 2048 Loading entropy into random state - unable to load random state warning, not much extra random data, consider using the -rand option Generating 2 prime RSA private key, 2048 bit long modulus ..................................................................++ +++ ...........+++++ e is 65537 (0x10001) Using configuration from C:\Program Files\HiCommand\Base\httpsd\sslc\bin\demoCA\ sslc.cnf You will be prompted to enter information to incorporate into the certificate request. This information is called a Distinguished Name or a DN. There are many fields however some can remain blank. Some fields have default values. Enter ., to leave the field blank. ----- Country Name (2 letter code) []:us State or Province Name (full name) []:California Locality Name (eg, city) []:San Jose Organization Name (eg, company) []:Hitachi Organizational Unit Name (eg, section) []:Hitachi Common Name (eg, YOUR name) []:Hitachi Email Address []: Please enter the following extra attributes to be sent with your certificate request A challenge password []: An optional company name []:
10–12Advanced Functions Hitachi Storage Navigator Modular 2 User’s Guide 5. Submit the created CSR file (httpsd.csr in the above example) to the CA and obtain the signed certificate. 6. To create a self-signed certificate file, type the following command line: 7. Using a text editor, open the file httpsd.conf in \Base\httpsd\conf. 8. Delete the hash sign (#) from the following slanted lines, which are commented out by default. Change the values of SSLCertificateFile and SSLCertificateKeyFile: a. For SSLCertificateFile, specify the signed certificate file obtained from the CA. b. For SSLCertificateKeyFile, specify the full path of the private key file created earlier in this procedure. The contents of the file are shown below: 9. Start the daemon process for Navigator 2 (see Starting the services or daemon process on page 10-18). 10. Start the daemon process for Hitachi Storage Command Suite Common Components (see Starting the Hitachi Storage Command Suite common components on page 10-19). 11. If there are other products that use the Hitachi Storage Command Suite Common Components, start the daemon process for those applications (refer to the documentation for those applications). NOTE:If you do not submit the CSR file to or obtain the signed certificate file from the CA, you can still create the certificate file with your signature using the hcmdssslc command. However, a warning window appears when the initial Navigator 2 window and subsequent window appear. ./sslc x509 -in /ca/httpsd.csr -out /ca/newcert.pem -reg -signkey /ca/httpsdkey.pem -days 365 SSLSessionCacheSize 0 #Listen 23016 #Listen [::]:23016 # # ServerName s1j-orca2xp # SSLEnable # SSLProtocol SSLv3 TLSv1 # SSLRequireSSL # SSLCertificateFile C:/ca/httpsd.pem # SSLCertificateKeyFile C:/ca/httpsdkey.pem # SSLCACertificateFile C:/Program #Files/HiCommand/Base/httpsd/ conf/ssl/cacert/anycert.pem # SSLSessionCacheTimeout 3600 #