Apparatus for and method of accessing a storage region...

Electrical computers and digital processing systems: memory – Storage accessing and control – Control technique

Reexamination Certificate

Rate now

  [ 0.00 ] – not rated yet Voters 0   Comments 0

Details

C711S152000, C711S163000, C711S111000

Reexamination Certificate

active

06484245

ABSTRACT:

BACKGROUND OF THE INVENTION
The present invention relates to storage control apparatus with ANSIX3T11-standardized fiber channels as an interface with its upper-level or “host” computers, and more particularly to a storage controller device which is employable in a computer system including a host computer and a storage control device plus a storage unit operable under control of the storage controller and which is for elimination of unauthorized access attempts upon issuance of a request to access the storage unit as sent from the host computer to the storage controller.
Conventionally, with regard to elimination or determent of unauthorized or illicit access attempts over networks, a variety of approaches are known and proposed until today.
One typical prior known approach to deterring unauthorized access has been disclosed in Published Unexamined Japanese Patent Application (“PUJPA”) No. 3-152652, wherein a network security system between computer systems supporting the TCP/IP protocol includes a memory device for storage of predefined identification (ID) information of those users who are authorized to log-in the network. The security system has a function of interrupting or disenabling any connection to the network whenever an unauthorized person attempts to log-in the network for invasion or “hacking” purposes.
Another approach has been disclosed in PUJPA No. 63-253450, wherein the central processing device disclosed comes with an operating system that is designed to monitor or “pilot” entry of user ID, password and online address data thereby deterring any unauthorized access to resource files on disk drive units.
Still another approach is based on the “ESCON” interface architecture available from IBM corp., which is designed so that by utilizing the fact that a host computer stores therein a logical address thereof as the source address of the host computer in the form of a frame and transmits the same to a storage controller device, the storage controller has a function of checking whether an incoming logical address in such frame matches a logical address that has been preset in the storage controller.
Any one of the prescribed prior art, approaches are not more than a mere unauthorized access elimination means that is inherently directed to those interfaces with a single type of layer mounted on a host logical layer.
However, the ANSIX3T11-standardized fiber channel is the “network type” architecture, which is capable of providing the host logical layer with various built-in layers mountable thereon, such as for example TCP/IP, SCSI, ESCON, IPI and the like. More specifically, since the buffer contents are to be moved from one device to another in a way independent of the data format and contents, it may offer logical compatability with other interface configurations and therefore remain physically accessible without suffering from any particular limitations. Especially, in a storage system including this fiber channel and a storage device with a plurality of storage regions such as a disk array device or “subsystem,” the storage regions are usable in common by an increased number of host computers. Accordingly, the prior art unauthorized access determent schemes remain insufficient in performance and reliability. A need thus exists for achievement of secrecy protection based on users' intentional security setup.
SUMMARY OF THE INVENTION
An object of the present invention is to provide a fiber channel connection storage control device adapted for use in a computer system which employs an ANSIX3T11-standardized fiber channel as an interface between one or more host computers and a storage control device and which includes host computers and a storage control device plus more than one storage device operable under control of the storage control device, wherein the fiber channel connection storage control device has a security function of, in the environment capable of physically receiving any access from the host computers, eliminating or deterring unauthorized access attempts from the host computers to the storage control device, which did not have any means for rejecting unauthorized access from host computers.
Another object of the present invention is to provide a fiber channel connection storage control device having a scheme capable of readily managing an accessible host computer or computers for elimination or determent of any unauthorized access from such host computers.
According to the present invention, the foregoing objects may be attainable in a way such that N_Port_Name information of an accessible host computer or computers which information distinctly identifies each host computer in a one-by-one basis is set in the storage control device for comparison with N_Port_Name information as stored in a frame to be sent from a host computer to thereby determine whether a presently desired access attempt is permissible or not.
One practical feature of the present invention in order to attain the prescribed objects is to have a means for inputting by use of a panel or the like the N_Port_Name information that is the information being issued from a host computer for distinct identification of the host computer, and then for storing such input information in a control memory of the storage control device as a control table. In this case, it will be desirable that the storage control device has a means for permanently storing therein the information until it is reset or updated.
And, by arranging the control table to be stored in a non-volatile control memory, it becomes possible to protect the management information even upon occurrence of any possible power supply failure or interruption.
In accordance with another practical feature of the present invention, after start-up of the host computer, the host computer generates and issues a frame that stores therein N_Port_Name information to the storage control device; the storage control device has means for comparing, when the storage control device receives this information, the maintained N_Port_Name information for distinct identification of the host computer to the N_Port_Name information as stored in the received frame: If the comparison results in a match between the two, then continue to execute the processing based on an instruction of the frame received; alternatively, if the comparison tells failure in match then return to the host computer an LS_RJT frame which rejects the presently received frame. It is thus possible for the storage control device to inhibit or deter any unauthorized access from the host computer.
A further practical feature of the present invention lies in presence of a means for setting N_Port_Name information items which are greater in number than or equal to a physical number of host interface units (ports) as owned by the storage control device. More specifically, a means is specifically provided for setting a plurality of N_Port_Name information items per port. This makes it possible to accommodate a multi-logical path configuration upon either a fiber channel fabric or a multi-logical path configuration upon switch connections.
Further, in a system having many magnetic disk volume parts such as a disk array device and also having a plurality of channel path routes, the system has manager means for performing management—within the storage control device in a one-to-one correspondence relation per channel path route—of storage regions under control of the storage control device, including a logical unit number (LUN)-based logical disk extent, a physical volume extent, a RAID group-based logical disk extent and the like, versus ports of the storage control device and N_Port_Name information of a host computer(s). This may enable users to deter an unauthorized access attempt per storage region, which in turn leads to achievement of more precise access management.
Furthermore in the present invention, even where the storage device under control of the storage control device is any one of an optical disk drive, magneto-optical (MO) disk drive and magnetic tape device as well as a

LandOfFree

Say what you really think

Search LandOfFree.com for the USA inventors and patents. Rate them and share your experience with other people.

Rating

Apparatus for and method of accessing a storage region... does not yet have a rating. At this time, there are no reviews or comments for this patent.

If you have personal experience with Apparatus for and method of accessing a storage region..., we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Apparatus for and method of accessing a storage region... will most certainly appreciate the feedback.

Rate now

     

Profile ID: LFUS-PAI-O-2948773

  Search
All data on this website is collected from public sources. Our data reflects the most accurate information available at the time of publication.