Skip to main content
Hitachi Vantara Knowledge

Configuring SMU security (HNAS server only)

The SMU can be configured to control the hosts that can access the SMU and auxiliary devices managed by the SMU.
NoteIf you have a standby SMU, it may take up to 5 minutes after a configuration change to be synchronized with the active SMU.

Procedure

  1. Navigate to Home SMU Administration Security Options.

    Field/Item

    Description

    Control which hosts have access to the SMU The settings in this section allow you to define the IP addresses of the hosts allowed to access the NAS Manager.
    Restrict Access to Allowed Hosts By selecting this check box, you restrict NAS Manager access to only those hosts included in the list of allowed hosts. By clearing this check box, you allow any host on your enterprise network to access the NAS Manager.

    Allowed Hosts

    To allow a host to access to the SMU, enter its IP address here and click add (the down arrow). When first restricting access, this field is pre filled with the IP address of the machine you are currently using to access this page. That IP address is required to be a member of the list. To remove a host from the list of those that have access to the NAS Manager, select the host's IP address in the list, and click delete (the X).

    • The format for IPv4 addresses is: #.#.#.#, in which # is a number between 0 and 255.

    Optionally, you can include a netmask, which is added immediately following the IP address, and is separated from the IP address by a slash (/). The netmask can use either the standard #.#.#.# format, or it can be entered as a simple number between 0 and 32). For example, either of the following are valid: 192.168.1.1/255.255.255.0 or 10.1.1.1/24.

    The value of specifying a netmask with an IP address is that you can allow access by a range of IP addresses with a single entry. For instance, to allow NAS Manager access only by hosts having an IP address in the range 192.168.1.1 through 192.168.1.255, you could add the single entry 192.168.1.1/24 instead of entering each of the 255 entries individually.

    Note The netmask component does not directly specify the IP address at the end point of a range. For example, entering 192.168.1.1/192.168.1.255 will not allow SMU access for the hosts in the range 192.168.1.1 through 192.168.1.255. Instead, to allow SMU access by all hosts in the range 192.168.1.1 through 192.168.1.255, you would enter 192.168.1.1/255.255.255.0 or 192.168.1.1/24.
    • The format for IPv6 address is:

    #:#:#:#:#:#:#:#, for example, fdca:f995:220a:480:1::a (which specifies a single host) or fdca:f995:220a:480:1::a/64 (which specifies a range of IP addresses in CIDR format).

    Web Application Security Settings This section allows you to change web application security settings.

    NoteMaking any change in this section results in the application being restarted immediately.
    Ports used for NAS Manager access

    For added security on your system, you can change the HTTP and HTTPS ports that the NAS Manager uses.

    HTTP

    The HTTP port used by the SMU.

    HTTPS

    The HTTPS (secure HTTP) port used by the SMU.

    Enable HTTPS Protocols

    By default, all HTTPS protocols are enabled, and the boxes next to the protocols are checked. Uncheck the check box next to a protocol to change its state to disabled. Leave at least one protocol enabled that your browser supports.

    Enabled Cipher Suites

    By default, all cipher suites are enabled and are shown in the Enabled Cipher Suites list box.

    Disabled Cipher Suites

    To disable cipher suites, use the arrow to move selected cipher suites to the Disabled Cipher Suites list box. Leave at least one cipher suite enabled that your browser supports.

    Login Security Banner

    For the external SMU only:

    By default, the security banner is disabled. Click Enabled to display the banner on the SMU login screen.

    The login security banner is displayed on the SMU login screen. The banner file is shared by all login modes (SSH, Serial, GUI, and KVM). A default security banner is provided as a sample security message to users. You can customize this banner text by editing the text on this page.

    You can also click reset to default, which resets the banner text to the default.

    You cannot leave the banner empty when creating it using the SMU. However you can leave it empty when creating it using the CLI.

    apply

    Click apply to save your changes.

    NoteMaking any change in the Web Application Security Settings section results in the application being restarted immediately.
  2. Optionally, use the Restrict Access to Allowed Hosts check box and the Allowed Hosts list to define individual IP address or a range of IP addresses that are allowed to access the SMU and the devices on the private network.

    Only hosts from these addresses (or within the defined range of addresses) will be allowed to communicate with the SMU or the devices on the private management network.
  3. Optionally, use the HTTP and HTTPS fields to define the ports that the SMU uses for inbound and outbound communications.

  4. Optionally, to disable protocols, at Enable HTTPS Protocols, uncheck the check box next to a protocol to change its state to disabled. It is necessary to have at least one protocol remain enabled.

    NoteTake care before disabling HTTPS protocols, because not all HTTPS protocols are supported by all browsers.
  5. Optionally, to disable cipher suites, use the arrow to move enabled cipher suites from the Enabled Cipher Suites list at the left to the Disabled Cipher Suites list at the right. It is necessary to have at least one cipher suite remain enabled.

    NoteTake care before disabling cipher suites, because not all cipher suites are supported by all browsers.
  6. Optionally, click Enabled, and change the security banner text.

    The security banner is disabled by default.

    You can edit the text of the security banner by changing the text in the edit box. Note that the security banner is plain text, and no HTML or formatting is available. To reset the security banner to the default text, click reset to default.

  7. Click apply to save the currently defined security options.