Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Configuring server management access

The NAS Manager provides the primary management interface for managing the server. In certain circumstances, however, an administrator may wish to use one of the following alternatives:

  • The command line interface (CLI), accessible through SSH and Telnet.
  • The SSC utility, available for both Windows and Linux/UNIX.
  • Simple Network Management Protocol (SNMP).

To protect the server from unauthorized access, various safeguards have been built in. Statistics are available to monitor access through these various methods. The following sections detail the configuration options that secure the server’s management interfaces and ports.

To prevent unauthorized access to the storage system, you should configure the server to respond only to predefined (authorized) management hosts on the network, based on the management access method (Telnet, SSC and SNMP) and defined port number. You can enable or disable access through SSC and SNMP entirely, and you can specify certain configuration settings to control how those protocols can be used.

Setting the server password

A password is required to authenticate direct management connections to the server. The password is required when adding a server to the SMU’s list of managed servers, or when accessing a server directly through the command line interface.

Procedure

  1. Navigate to Home Server Settings Server Users.

  2. Click on the details button for the user.

  3. Enter the new password.

  4. Enter the new password again, to confirm.

  5. Click OK to save the new password.

Configuring SSC access

SSC can be enabled, or disabled, and you can specify the hosts allowed to access the server using this protocol.

Procedure

  1. Navigate to Home Server Settings SSC Access Configuration .

    SSC Access Configuration

    Field/Item Description
    Enable SSC Access Select the check box to allow access by the SSC protocol, or clear the check box to disable access using that protocol.
    Port Number Enter the port number that the storage server should monitor for communication through the protocol. The default is port 206. We recommend that you do not change this port number as SSC must be enabled on port 206 in order to perform package upgrades, run diagnostics, and use ADC.

    NoteThe port number is not configurable on a NAS module.
    Maximum Number Of Connections Specifies the maximum number of simultaneous connections to the server. You can allow up to five simultaneous connections.
    Restrict Access To Allowed Hosts Select the check box to restrict protocol access to the hosts specified on this page. Clear the check box to enable the protocol to access any host.
    Allowed Hosts If protocol access is restricted to specified hosts, use these fields to specify the hosts to which the protocol has access.
    NoteIf protocol access is restricted to specified to hosts, make sure the SMU is an allowed host.
    • Allowed Hosts (field). In the Allowed Hosts field, enter the IP address of a host that the protocol is allowed to access, then click Add to insert that host into the list of allowed hosts.
      NoteIf the system has been set up to work with a name server, you can identify allowed hosts by IP address or hostname.

      Wildcard Usage: You can specify an IP address using the * character, such as: 10.168.*.* or 172.*.*.*.

    • Allowed Hosts (list). This list displays the IP address or host name of each of the hosts that the protocol is allowed to access.

      To delete a host, select its IP address or host name from the list and click Delete.

    Add Inserts that host into the Allowed Hosts list.
    Delete Deletes the selected host from the Allowed Hosts list.
    apply Saves configuration changes.
  2. Specify the SSCconfiguration settings.

  3. Click apply to save configuration changes.

Configuring SNMP access

You can enable or disable SNMP access, specify the versions of SNMP for the server to use, and specify the hosts allowed to access the server using this protocol. For NAS modules of VSP Gx00 and Fx00 models, the SNMP access configured with NAS Manager propagates to the block configuration. If the SNMP access settings are different for block and file, the SNMP access should be set with the maintenance utility rather than NAS Manager.

Procedure

  1. Navigate to Home Server Settings SNMP Access Configuration.

    Field/Item Description
    SNMP Protocol Support

    Using the radio buttons at the top of the page, select the version of the SNMP protocol with which hosts must comply when sending requests to the agent, or alternatively, disable the SNMP agent.

    Accept SNMP Packets On Port

    Enter the port number that the server monitors for communication through the SNMP protocol. The default port number is 161.

    Restrict Access To Allowed Hosts

    Select this check box to restrict protocol access to the hosts specified on this page. Clear the check box to enable the protocol to access any host.

    Allowed Hosts

    To permit requests from authorized hosts only, type the IP address of a host in this field, then click Add to include it in the list. If the system has been set up to work with a name server, you can type the name of the SNMP manager host rather than its address.

    NoteIf access is restricted to specified hosts, add the SMU as an allowed host.

    To remove a host from the list, select the host you want to remove, then click Delete.

    Allowed Communities

    Type the name of a community (a password) that will provide authentication into the MIB, and then click Add to include it in the list. Community names are case-sensitive.

    NoteYou should define at least one community entry.

    To remove a community from the list, select the host you want to remove, then click Delete.

    apply Saves configuration changes.
    Download SNMP MIB modules Click to download the MIB modules in a compressed format onto the local machine.
  2. Specify the SNMP configuration settings.

  3. Click apply to save configuration changes.

Configuring SNMPv3 access

SNMPv3 defines a more secure version of SNMP compared to the previously supported SNMPv1 and SNMPv2c. SNMPv3 adds support for user-based authentication and encryption to achieve secure access to the management information held on the HNAS server. SNMPv1 and SNMPv2c continue to be available but cannot be enabled at the same time as SNMPv3.

You must use CLI commands to configure SNMPv3.

Before you begin

The snmp concept man page includes information to describe the supported SNMP versions and restrictions.

The authentication and privacy option is always configured when SNMPv3 is enabled.

The SNMP agent uses HMAC-SHA-96 authentication and AES-128-CFB encryption for data privacy.

Procedure

  1. Use the CLI command snmp-protocol to configure SNMPv3.

    HNAS1:$        snmp-protocol -v v3
    HNAS1:$        snmp-protocol
                   Protocol:      SNMPv3               
    When SNMPv3 is enabled the SNMP agent will not respond to SNMPv1 or SNMPv2c requests.
  2. Add users with the snmpv3-user-add command.

    HNAS1:$        snmpv3-user-add testuser 
                   Please enter the authentication password:     ********
                   Please re-enter the authentication password:  ********
                   Please enter the privacy password:    ********
                   Please re-enter the privacy password: ********
    		             [snmpv3-user-add took 14 s.]
    
    At least one user, with an authentication password and a privacy password, must be configured in order to use SNMPv3.

    When SNMPv3 is configured, access to the information on the server is restricted to users in the SNMPv3 user list.

    1. You may delete users with the snmp3-user-delete and snmpv3-user-delete-all commands

      HNAS1:$        snmpv3-user-delete testuser
    2. You may list users with the snmpv3-user-list command.

      HNAS1:$        snmpv3-user-list
      
                        Users
                     --------
                     testuser
      
  3. Configure agent ports using the snmp-port-set and snmp-port-show commands. The SNMP port used is normally 161.

    HNAS1:$        snmp-port-set 161
                   SNMP agent port successfully set to:  161 
    
    HNAS1:$        snmp-port-show
                   SNMP agent port:  161
    
  4. The snmp-trap-port-set, snmp-trap-port-show, and snmp-traps commands are available to configure the operation of the SNMP agent for all version of SNMP. The traps are normally sent to port 162.

    HNAS1:$        snmp-trap-port-set 162
    HNAS1:$        snmp-trap-port-show 
                   SNMP trap port:  162 
    

    All notifications are sent using SNMPv1 traps regardless of the configured SNMP protocol version.

  5. When configured to use SNMPv3, the community names configured via the snmp-communities command and the hosts list configured via the snmp-hosts command do not restrict SNMPv3 access to the server.