The NAS Manager provides the primary management interface for managing the server. In certain circumstances, however, an administrator may wish to use one of the following alternatives:
- The command line interface (CLI), accessible through SSH and Telnet.
- The SSC utility, available for both Windows and Linux/UNIX.
- Simple Network Management Protocol (SNMP).
To protect the server from unauthorized access, various safeguards have been built in. Statistics are available to monitor access through these various methods. The following sections detail the configuration options that secure the server’s management interfaces and ports.
To prevent unauthorized access to the storage system, you should configure the server to respond only to predefined (authorized) management hosts on the network, based on the management access method (Telnet, SSC and SNMP) and defined port number. You can enable or disable access through SSC and SNMP entirely, and you can specify certain configuration settings to control how those protocols can be used.
Setting the server password
Click on the details button for the user.
Enter the new password.
Enter the new password again, to confirm.
Click OK to save the new password.
Configuring SSC access
Field/Item Description Enable SSC Access Select the check box to allow access by the SSC protocol, or clear the check box to disable access using that protocol. Port Number Enter the port number that the storage server should monitor for communication through the protocol. The default is port 206. We recommend that you do not change this port number as SSC must be enabled on port 206 in order to perform package upgrades, run diagnostics, and use ADC.NoteThe port number is not configurable on a NAS module. Maximum Number Of Connections Specifies the maximum number of simultaneous connections to the server. You can allow up to five simultaneous connections. Restrict Access To Allowed Hosts Select the check box to restrict protocol access to the hosts specified on this page. Clear the check box to enable the protocol to access any host. Allowed Hosts If protocol access is restricted to specified hosts, use these fields to specify the hosts to which the protocol has access.NoteIf protocol access is restricted to specified to hosts, make sure the SMU is an allowed host.
- Allowed Hosts (field). In the Allowed Hosts field, enter the IP address of a host that the protocol is allowed to access, then click
Add to insert that host into the list of allowed hosts.
NoteIf the system has been set up to work with a name server, you can identify allowed hosts by IP address or hostname.
Wildcard Usage: You can specify an IP address using the * character, such as: 10.168.*.* or 172.*.*.*.
- Allowed Hosts (list). This list displays the IP address or host name of each of the hosts that the protocol is allowed to access.
To delete a host, select its IP address or host name from the list and click Delete.
Add Inserts that host into the Allowed Hosts list. Delete Deletes the selected host from the Allowed Hosts list. apply Saves configuration changes.
- Allowed Hosts (field). In the Allowed Hosts field, enter the IP address of a host that the protocol is allowed to access, then click Add to insert that host into the list of allowed hosts.
Specify the SSCconfiguration settings.
Click apply to save configuration changes.
Configuring SNMP access
Field/Item Description SNMP Protocol Support
Using the radio buttons at the top of the page, select the version of the SNMP protocol with which hosts must comply when sending requests to the agent, or alternatively, disable the SNMP agent.
Accept SNMP Packets On Port
Enter the port number that the server monitors for communication through the SNMP protocol. The default port number is 161.
Restrict Access To Allowed Hosts
Select this check box to restrict protocol access to the hosts specified on this page. Clear the check box to enable the protocol to access any host.
To permit requests from authorized hosts only, type the IP address of a host in this field, then click Add to include it in the list. If the system has been set up to work with a name server, you can type the name of the SNMP manager host rather than its address.NoteIf access is restricted to specified hosts, add the SMU as an allowed host.
To remove a host from the list, select the host you want to remove, then click Delete.
Type the name of a community (a password) that will provide authentication into the MIB, and then click Add to include it in the list. Community names are case-sensitive.NoteYou should define at least one community entry.
To remove a community from the list, select the host you want to remove, then click Delete.
apply Saves configuration changes. Download SNMP MIB modules Click to download the MIB modules in a compressed format onto the local machine.
Specify the SNMP configuration settings.
Click apply to save configuration changes.
Configuring SNMPv3 access
SNMPv3 defines a more secure version of SNMP compared to the previously supported SNMPv1 and SNMPv2c. SNMPv3 adds support for user-based authentication and encryption to achieve secure access to the management information held on the HNAS server. SNMPv1 and SNMPv2c continue to be available but cannot be enabled at the same time as SNMPv3.
You must use CLI commands to configure SNMPv3.
Before you begin
The snmp concept man page includes information to describe the supported SNMP versions and restrictions.
The authentication and privacy option is always configured when SNMPv3 is enabled.
The SNMP agent uses HMAC-SHA-96 authentication and AES-128-CFB encryption for data privacy.
Use the CLI command snmp-protocol to configure SNMPv3.
HNAS1:$ snmp-protocol -v v3
HNAS1:$ snmp-protocol Protocol: SNMPv3When SNMPv3 is enabled the SNMP agent will not respond to SNMPv1 or SNMPv2c requests.
Add users with the snmpv3-user-add command.
HNAS1:$ snmpv3-user-add testuser Please enter the authentication password: ******** Please re-enter the authentication password: ******** Please enter the privacy password: ******** Please re-enter the privacy password: ******** [snmpv3-user-add took 14 s.]At least one user, with an authentication password and a privacy password, must be configured in order to use SNMPv3.
When SNMPv3 is configured, access to the information on the server is restricted to users in the SNMPv3 user list.
You may delete users with the snmp3-user-delete and snmpv3-user-delete-all commands
HNAS1:$ snmpv3-user-delete testuser
You may list users with the snmpv3-user-list command.
HNAS1:$ snmpv3-user-list Users -------- testuser
Configure agent ports using the snmp-port-set and snmp-port-show commands. The SNMP port used is normally 161.
HNAS1:$ snmp-port-set 161 SNMP agent port successfully set to: 161
HNAS1:$ snmp-port-show SNMP agent port: 161
The snmp-trap-port-set, snmp-trap-port-show, and snmp-traps commands are available to configure the operation of the SNMP agent for all version of SNMP. The traps are normally sent to port 162.
HNAS1:$ snmp-trap-port-set 162
HNAS1:$ snmp-trap-port-show SNMP trap port: 162
All notifications are sent using SNMPv1 traps regardless of the configured SNMP protocol version.
When configured to use SNMPv3, the community names configured via the snmp-communities command and the hosts list configured via the snmp-hosts command do not restrict SNMPv3 access to the server.