Hitachi NAS Platform 13.9.6815.02 Release Notes
About this document
This document (RN-92HNAS049-00, April 2021) provides late-breaking information about NAS Platform 13.9. It includes information that was not available at the time the technical documentation for this product was published, as well as a list of known problems and solutions.
Intended audience
This document is intended for customers and Hitachi Vantara partners who license and use NAS Platform.
Accessing product documentation
Product user documentation is available on the Hitachi Vantara Support Website: https://knowledge.hitachivantara.com/Documents. Check this site for the most current documentation, including important updates that may have been made after the release of the product.
Accessing product downloads
Product software, drivers, and firmware downloads are available on the Hitachi Vantara Support Website: https://support.hitachivantara.com/.
Log in and select Product Downloads to access the most current downloads, including important updates that may have been made after the release of the product.
About this release
This release is a minor release that adds features and resolves multiple known problems.
The specific build is server update (SU) 13.9.6815.02, and system management unit (SMU) 13.9.6815.02.
NAS operating system, which includes server update 13.9.6815.02 and SMU 13.9.6815.02, supports the following models:
· Hitachi NAS Platform 5200, 5300
· Hitachi NAS Platform 4040, 4060, 4080, 4100
· Hitachi NAS Platform 3080 G1, 3080 G2, 3090 G1 and 3090 G2.
The topics in this document could also be relevant to VSP F/G Series (running SVOS 7.4.0), and VSP N Series (running SVOS 7.4.1), by taking note of the NAS module version.
| Note: When upgrading to 13.9, it is advisable to refer to the corresponding release notes of each intervening version to be aware of any new features, special notes and considerations. |
Document history
| Revision | Description |
| 92HNAS047-00 | Initial release of SU version 13.9.6420.10 (HNAS 5x00 only) |
| 92HNAS047-01 | Release of SU version 13.9.6420.13 (HNAS 5x00 only) |
| 92HNAS048-00 | Release of SU version 13.9.6628.07 |
| 92HNAS049-00 | Release of SU version 13.9.6815.02 |
New features
This section describes the key features in version 13.9, and other recently released features. Please refer to the NAS user guides for details on using these features.
For features introduced after the initial 13.9 release, which may not be covered in the published guides, documentation amendments can be found on the Additional Notes page. This page is linked to from the main NAS Platform documentation page (https://knowledge.hitachivantara.com/Documents/Storage/NAS_Platform).
TLS/SSL certificate changed
First available in 13.8.6320.10
The default self-signed TLS/SSL certificate has been enhanced to support https://support.apple.com/en-us/HT210176. To provoke the certificate to be recreated, for Bali’s SOAP and REST servers and the embedded SMU use the following command as supervisor at the Bali prompt:
tls-certificate-create-custom --confirm
And for the external SMU use the following command as root at the Linux prompt on the SMU:
cert-gencustom.sh
Hitting Enter to accept all the defaults will work, except at the two confirmation prompts. Do not be tempted to increase the "Number of days the certificate should be considered valid" beyond the limit in https://support.apple.com/en-us/HT210176.
Secure RPC for NetLogon connections
First available in 13.8.6320.10
Secure RPC for NetLogon has been introduced so that HNAS can interoperate with Microsoft's fix for CVE-2020-1472, "Netlogon Elevation of Privilege Vulnerability", which requires the use of secure RPC between domain members and DCs.
Please ensure the smb-max-supported-version is set to at least SMB2.
SMU hardening
First available in 13.9.6628.07
This release includes improvements related to hardening the SMU and SMU security.
No additional configuration is required in order to use the feature.
The feature is supported on both Internal and External SMUs.
Micro-pruning
First available in 13.9.6815.02
Micro-pruning is supported over SMB.
No additional configuration is required to use this feature. The feature allows existing files to be made sparse, i.e. to delete data and free space within them.
Operations to mark a file as sparse (FSCTL_SET_SPARSE), to prune a file (FSCTL_SET_ZERO_DATA) and to query allocated ranges of a file (FSCTL_QUERY_ALLOCATED_RANGES) are supported over SMB version 2 and above.
Native REST API
First available in 13.9.6815.02
A new native REST API mode has been introduced, and will be used for future API improvements and features, replacing the previous legacy REST API versions.
The maximum supported API version remains at version 7, and the new native API implements all the existing version 7 API calls. The native API introduces read-only access via API key and USER level management users, and some small detail changes, including bug fixes. The new rest-server-mode command allows switching between the legacy API and new native API.
More details can be found in the API document MK-92HNAS088-04.
Hitachi NAS add-ons
There are several add-ins available for use with Hitachi NAS, as noted here.
The downloads can all be found by following section "Error! Reference source not found." and navigating to "Hardware Download", "NAS Platform", and then selecting "Add-ons".
The documentation can be found on the "Solutions and Best Practices" page, which is linked from the main NAS Platform documentation page (https://knowledge.hitachivantara.com/Documents/Storage/NAS_Platform).
HNAS CSI Driver for Kubernetes
Version 1.00 (August 2020) - works with NAS 13.3 or later
To use API Keys for authentication, HNAS software 13.7 or newer is required, otherwise a username/password combination must be used.
The Hitachi NAS Container Storage Interface (CSI) Driver is a software component that contains libraries, settings, and commands that you can use to create a container in order to run your stateful applications. It enables the stateful applications to persist and maintain data after the life cycle of the container has ended. The Hitachi NAS CSI Driver provides persistent volumes on Hitachi NAS server platforms (Hitachi NAS platform and NAS module).
As the driver relies on the ability for containers/pods to access HNAS NFS exports, it can only be used on Linux based systems.
HNAS docker volume plugin
Version 1.00 (December 2019) - works with NAS 13.2 or later
The NAS server platform (Hitachi NAS platform and NAS module) can be used to provide remote storage for container images running within Docker.
As the plugin relies on the ability for containers to mount HNAS NFS exports, it can only be used on Linux based systems.
The plugin is supported on Docker version 18 and newer, and currently only on stand-alone systems, rather than clusters/docker swarm.
ELK integration for HNAS
Version 1.00 (September 2019)
The NAS server platform (Hitachi NAS platform and NAS module) can be integrated with Elasticsearch. Alert and audit logs can be collected, and then analyzed using Kibana, which helps to visualize data.
Elasticsearch is commonly referred to as the ELK stack or Elastic stack, which refers to Elasticsearch and associated components, which lets you reliably and securely take data from any source, in any format, and search, analyze, and visualize it in real time.
Splunk add-on for HNAS
Version 1.00 (November 2018)
The NAS server platform (Hitachi NAS platform and NAS module) can be integrated with Splunk®. Splunk can be configured to collect alert log and audit log events, in addition to the ability to gather statistics about the NAS server system performance.
Special notes on current NAS releases
Configuring external migration targets
Not specific to this release, but reiterating the need for adequate backup planning.
| Caution: Care should be taken when configuring systems with a single migration destination for both replication source and target (known as a triangular arrangement). Such arrangements should not be considered a valid solution in any disaster recovery (DR) or backup scenario, as there is only a single copy of the user data pointed to by XVLs at each end of the replication policy. |
Deduplication support for Object Replication Targets
Deduplication is supported on Object Replication target file systems, from release 13.6.
| Note: If, before 13.6.6016.05, a filesystem was created to support dedupe and it was later used as a replication target, there will be implications when upgrading to 13.6.6016.05 or later. In this case, deduplication of the replication target will start automatically without any additional action on the user's part. |
In order to avoid this happening, deduplication should be disabled, per filesystem, before upgrading.
Group Augmentation changes
A change in 13.5.5527.02 changed the format of the output that create-group-table-from-active-directory.rb presented to any customized massage-commands-for-managed-servers script.
If a customized massage-commands-for-managed-servers script is used to check the output against a whitelist, then it's likely that groups will be incorrectly excluded, and their old definitions will continue to be used by HNAS indefinitely. In this instance it is best to transform the whitelist to suit the output after the upgrade.
HDRS versions
A change in 13.8 necessitates that any instances of HDRS in use should be upgraded to at least v4.1.
Please do not upgrade the SMU software to 13.9.6628 or later on the Unified VSP F/G/Nx00, or install a net new GEfN solution, until HDRS v4.2 or later is installed.
HNAS 5200/5300 clustering
There was a restriction for HNAS 5200/5300 in version 13.9.6420, to limit the cluster size to 2 nodes.
Version 13.9.6628.07 introduces support for 4 node clusters on HNAS 5200/5300.
| Note: Please note that the use of clustering in a production environment is required for data availability. |
Script output on HNAS 5200/5300
Due to a change in operating system behaviour, on Debian 10 (Buster) based systems such as HNAS 5200/5300, some scripts output on invocation might not be displayed on the current console. The output can still be found by reviewing the syslog or using the journalctl command.
Notes on installing, upgrading, and downgrading
Notes on this release include:
· NAS platform models 3080 G1 and G2 / 4040 / 4060 have cluster support for up to two nodes.
· NAS platform models 3090 G1 and G2 / 4080 have cluster support for up to four nodes.
· NAS platform model 4100 has cluster support for up to eight nodes.
· NAS platform models 5200 / 5300 have cluster support for up to four nodes.
· The NAS Manager for the SMU uses cookies and sessions to remember user selections on various pages. Therefore, you should open only one web browser window, or tab, to the SMU from any given workstation.
Performing a rolling upgrade from older versions of HNAS
If you are upgrading from earlier versions of HNAS, note that there are critical steps which must be followed in a precise sequence to correctly upgrade to version 13.9. Refer to the corresponding release notes of each earlier version for details on rolling upgrades. Additionally, consult with your Hitachi Vantara representative for assistance in upgrading from earlier versions of HNAS.
| Note: For Rolling Upgrades, the latest version of any major code release will be able to roll to any version in the following major code release. As an example, a Rolling Upgrade can be performed from the latest 12.x code release to any version in the 13.x major code release without any intermediate code steps. |
| Caution: If upgrading from versions earlier than version 13.3, an additional step to version 13.6.6016.05 must be performed first, before upgrading to version 13.7.6233.01 or later. This is no longer necessary when upgrading to version 13.9.6815.02 or later. |
Please refer to FE-92HNAS050 if you are planning a hardware rolling upgrade from HNAS 30x0 / 4xx0 to HNAS 5200 / 5300.
| Note: If you are using Hitachi Operations Center, the HNAS 5000 series cannot be on-boarded into Analyzer. This is not an HNAS product issue - HOC Analyzer will fully support the HNAS 5000 series in a future release. In the interim, please contact product support for any potential work around until HNAS 5000 series is fully supported in HOC Analyzer. |
File-based replication between different HNAS software levels
The ability to replicate between systems is determined by the version of the software that is running on those systems. The model number of the server is not a factor for interoperability for replication purposes. If both the destination and target servers are running the same major software version (for example, 12.x), replication as ‘managed servers’ is fully supported. If the destination and target servers are running different major software versions (for example, 12.x to 13.x), one of the servers is configured as an ‘unmanaged’ server. Replication continues to be fully supported within the constraints of replication between managed and unmanaged servers.
Object-based replication between different HNAS software levels
Object replication was first introduced in HNAS software v8.0 and has been enhanced with each release. For example, version 10.1 was enhanced so that objects maintained their sparseness during incremental replication. Version 11.1 has the ability to preserve file clone states during replication. To ensure interoperability, feature flags are negotiated when object replication occurs between servers running at different version levels.
Object replication between servers is supported up to one major version away. For example, object replication between version 12.x and 13.x is supported.
| Note: Object replication between servers that are more than one major release apart may work (for example, between version 11.x and v13.x) – but this is not supported. |
| Note: When set to transfer XVLs as links, both source and target systems involved in the replication relationship must be running HNAS release v13.4 or later. |
Important considerations to read before installation
Please read the following sections before installing and using 13.9.
Special consideration should be taken when upgrading to the stated versions (or later) from an earlier version, or when planning a downgrade from the stated versions (or later) to an earlier version.
Changes in 13.0
· Support for WFS-1 is now completely removed. Before upgrading the customer MUST migrate any WFS-1 filesystems to new WFS-2 filesystems, as WFS-1 filesystems cannot be mounted.
· NAS Storage Pools (spans) are now limited to 32 filesystems.
· 12.7.4221.07 is the lowest version of code that the system can safely downgrade to.
Changes in 13.2
· Support added for increasing the number of filesystems in a cluster. This must be considered when planning a downgrade to an earlier version, if more than the previous default of 128 filesystems exist.
· Support for REST API v4 added, while still supporting v3.
· 13.2.4527.04 introduced a new command, krb5-nfs-principal-format. If the setting is changed to (the non-default value of) "only-primary", for any EVS, this must be considered when planning a downgrade to an earlier version.
Changes in 13.5
· Support for REST API v7 added, while still supporting v4, and deprecating v3.
The number of filesystems per span limit
By default, the number of filesystems that can be created in any span is limited to 32.
If an existing span has more than 32 filesystems, the span and filesystems are fully supported after upgrading to 13.0 or later. However, it is not possible to create any additional filesystems on the span, until enough filesystems have been deleted to bring the total number below 32.
It is possible to increase this default value using the filesystem-create CLI command with the --exceed-safe-count option. This option must not be used when creating up to 32 filesystems. It must only be used when creating filesystems beyond the 32nd one.
| Note: This option is only available on the CLI. The NAS Manager does not permit you to create more than 32 filesystems. |
For further information, see the File Services Administration Guide.
NFSv3 access during upgrade to 13.2 or later
When a cluster namespace (CNS) is in use on an NFSv3 filesystem, a rolling upgrade to version 13.2 can cause longer transient delays for NFSv3 accesses than normal. Customers using ordinary filesystem exports or other protocols (including NFSv4) do not experience these additional delays.
| Note: This issue only affects the upgrade from a pre-13.2 release to a 13.2-or-later release. Future upgrades will not experience any additional transient delays from this issue. |
The technical issue
Normally, during a rolling upgrade, access to filesystems through NFSv3 and CNS is available while EVSs are migrated between cluster nodes so that each node can be upgraded in turn. Clients can connect to an EVS on a node running older software and access filesystems belonging to an EVS on a node running newer software (or the other way around) because the NAS server uses a stable message format when forwarding the requests.
Software version 13.2 supports an increased number of filesystems and in order to provide this feature, modifies the message formats used to support CNS in a way that is incompatible with earlier releases.
During this rolling upgrade, clients cannot access filesystems that are hosted on a node running a different version of software to the currently connected node. As soon as the EVSs are migrated onto nodes running the same version of software, the clients can regain access to those filesystems.
Workaround
For 2-node clusters (including NAS Modules), follow the usual upgrade procedure. After the first node has been upgraded, and while EVSs are being migrated between the nodes, there is a longer interruption to client access than usual. The interruption ends as soon as all EVSs are migrated to the upgraded node. When the second node has been upgraded, the only disruption is from normal EVS migrations.
For clusters with three or more nodes, there could be a longer period when EVSs are hosted on nodes running different software versions. For these cases, use manual migrations to move all EVSs to nodes running the same software version. This minimizes the period during which the clients cannot access all filesystems.
For details of the manual migration process, or for upgrade procedures, please contact Customer Support.
SMU, server, and cluster compatibility
These release notes highlight SMU release version 13.9.6815.02.
The version of SMU should always be equal to, or newer than, the version of the server / cluster being managed. In the rare situation where such an SMU build is not released, the closest available one should be used.
Since SMU 12.7, the following hypervisor images are supported for a virtual SMU
· Hyper-V : Virtual SMU OS 2.2
· VMware : Virtual SMU OS OVA 2.1 or 2.2
| Note: In addition to VMware player, the virtual SMU (vSMU) is also compatible with the free version of ESXi. |
A single hardware SMU (SMU 400) can support up to 5 servers / clusters.
From SMU 12.7, a virtual SMU can support up to 10 servers / clusters. To manage more than 2 entities* from a virtual SMU, the VM’s resources must be increased. One (1) GB memory and one virtual CPU is required per entity. An entity is defined as a single node or a cluster of nodes.
Licensing
New license keys are typically firmware-version specific. Upon upgrading firmware to this release, all previous licenses present on the system will remain in force.
Licensing as it pertains to node replacements
Clustered Node Replacement: Once the NAS cluster has been built, the Cluster MAC-ID will not change regardless which node in the cluster needs to be replaced, so there will not be any reason to request new license keys when replacing a node in a cluster.
Single Node Replacement: In a situation where a single node must be replaced, the original license keys will not be valid on the new node. Please contact TBkeys to transfer the license keys to the replacement node and issue a new permanent license. You will need to supply TBKeys with the MAC-ID of the Original Node and the MAC-ID of the Replacement node.
To request upgrade keys
When ordering license keys for new, licensed features, note that:
· New features with a sale price will be purchased by the customer per normal Hitachi Vantara channel policies and procedures.
· Non-sale feature requests will be routed based on server branding until such time as the relicensing process has been fully integrated.
· Hitachi Vantara Server Request Routing
o The emailed request shall include the following information:
- Customer Name
- MAC-ID of the HNAS Unit (the MAC-ID format is XX-XX-XX-XX-XX-XX), the serial # is not needed or acceptable to issue new keys.
- If you have not followed normal upgrade procedures, please indicate details of your current situation and indicate if a new full set of keys are required. Also, if your server is part of a cluster, please indicate if the MAC-ID is a "Primary" server of the cluster and how many units are in the cluster.
o All permanent upgrade key requests will be handled by way of email sent to TBKeys@hitachivantara.com. Turnaround time on all requests is targeted within 24 hours. Standard working hours for this distribution list (dlist) are 8am to 5pm Pacific Standard Time. See below for emergency situations.
o Should your need for upgrade keys be an emergency, please contact the Hitachi Vantara Support Centers, where Temporary Keys for these features can be provided.
o An email to TBKeys@hitachivantara.com should also be sent to receive your permanent keys.
Fixes and enhancements in version 13.9.6815.02
| Issue ID | Severity | Description |
| D131093 | B | Fixes an issue that occurred when an SMB2 session setup requested to re-establish a previous session that had since timed out. |
| D146111 | B | Fixed a stability issue that could occur when aborting certain Fibre Channel requests. |
| D146335 | B | Fix a situation in which an HNAS 5x00 cluster of 3 or more nodes could continue file-serving with no working NVRAM backup capability. |
| D146389 | B | Fixed a potential instability on HNAS 5000 under certain error conditions in Fibre Channel login management. |
| D146716 | B | CVE-2021-3156 (Baron Samedit) has been addressed for HM800 VSP-G/F models. |
| D147066 | B | Fixed a very rare issue, which was triggered in the unlikely event of a DIMM failure. |
| D147380 | B | Fixed an issue that internally allowed two posted PCIe requests to be issued at the same time on the same tag number. |
| D147433 | B | Concurrent reverse migration and (initiation of) auto-recall of the same external file could result in truncation of the recalled file on HNAS. This has been fixed, in that either the migration is successful and the truncation does not happen, or the migration is aborted and a good link to the external file is preserved. |
| D139761 | C | Address a locking fairness issue with Fibre Channel connections. |
| D143460 | C | Prevent a potential instability when reading from an object replication target file system, perhaps for an NDMP backup, whilst replication completes. |
| D144644 | C | Fixed an issue that could arise when dedupe jobs are automatically triggered on replication target file systems at the same time that snapshots are being deleted. |
| D144813 | C | Fix an issue with registry file handling. |
| D145094 | C | When upgrading a cluster from HNAS 3xxx/4xxx to HNAS 5x00, the user is warned that management user passwords will need to be re-entered. That is because of the more secure password hashing method used in the newer models. |
| D145319 | C | The text field at the end of the URL of the SMU's management statistics page is now validated to remove an opportunity for cross-site scripting (XSS). |
| D145516 | C | Fixed an issue that could cause an instability following Fibre Channel link failure on HNAS 5000. |
| D145615 | C | Generate a severe event if unsupported storage is detected |
| D145703 | C | Fixed an issue that was caused by a disruption to Fibre Channel connectivity. |
| D145880 | C | Fixed an issue with storage discovery when replacing directly connected storage on HNAS 5000. |
| D146046 | C | Fixed a problem that could, rarely, prevent a Fibre Channel link coming up properly on HNAS 5000. |
| D146131 | C | Fixed an issue that internally allowed two posted PCIe requests to be issued at the same time on the same tag number. |
| D146266 | C | Azure accounts without geo-redundancy are supported again. |
| D146381 | C | Fixed an issue with SMU hardening such that HDRS is able to work again. |
| D146413 | C | Fixed an issue caused by an unusual combination of Fibre Channel errors. |
| D146500 | C | Fixed stability issues resulting from interactions between internal state machines TX_MUX and TCP_TUI, when very busy receiving network packets. |
| D146646 | C | Fixed a failure to upgrade HNAS 3xxx/4xxx from certain older releases. |
| D146745 | C | Fixed a potential stability issue when the scsi-clean command deleted a stale storage rack. |
| D146922 | C | The default fsi-cache-bound thresholds have been doubled for extra safety. |
| D147011 | C | Fixed a rare stability issue that occurred when dedupe logs the last occurrence of the same chunk error code that occurs in consecutive chunks. |
| D147034 | C | The tightening of external SMU file security in 13.9.6600 has been loosened in a few choice locations to accommodate Hitachi Ops Center (HOC) Analyzer. |
| D147035 | C | Mitigated a potential resource limitation in SCSI background polling on HNAS 3000/4000 systems with large numbers of system drives. |
| D147122 | C | Fixed a problem that could potentially cause a file system to be unmounted prematurely in the event of I/O errors. |
| D147317 | C | mercury-reinstall-main-partitions' help and warning output corrected. |
| D61202 | D | More detailed memory usage statistics are now tracked in the diagnostics' loggedstatistics.csv. |
| D64839 | D | Provides support for SMB2 query_info requests on named pipes. |
| D143018 | D | Added protection for the SMU from brute force attacks. Now if you get your password wrong 5 times you will be locked out of the SMU for 5 minutes. |
| D143019 | D | The bulk of the work for securing the postgres database was done here but it remains disabled at this time. |
| D143022 | D | A password can now be supplied when creating a backup from the SMU GUI or CLI script. This backup can be used to restore the SMU to a previous version from both the backup saved in the SMU and the file downloaded by entering the password used to create the backup.The password is optional and any backups created by the SMU itself are not password protected. |
| D143023 | D | Database backup files from old SMU upgrades are now deleted automatically. |
| D143618 | D | Shortcomings with the commands controlling TLS v1.3 and its cipher-suites have been addressed. |
| D146328 | D | A read-only user is no longer restricted to interacting with the first page of object replication policies and schedules. |
| D146420 | D | Bali REST API read-only access via API key. |
| D146421 | D | The existing CLI commands for controlling the Bali REST API now allow switching between the native and legacy APIs. |
| D146505 | D | An issue involving a race condition due to an illusory transient heap shortage, has been fixed. |
| D146667 | D | Three months' worth of Debian patches for security issues reported by the Nessus scanner for the HNAS 5000 series have been applied. |
| D146699 | D | Downgrade the warning assert SI/H1_PCIEX_HFOPRX:1/pciex_interface_paused that may appear in the log when the system is under high load. This is purely for VLSI debug, and thus an info assert is sufficient. |
| D146700 | D | A method of configuring sshd's AllowUsers setting that is persistent across external SMU upgrades is available on request. |
| D146701 | D | The external SMU's postfix configuration has been changed such that it will only relay email from any private network. |
| D146939 | D | An issue in stat reporting has been fixed. |
| D147193 | D | Made the fc-link-reset CLI command available on HNAS 5000. |
| D147214 | D | Fixed an issue, such that 'pir --to-ssc' will now keep the invoking ssh session active with a progress report every minute. |
| D147235 | D | Ensure an HNAS 5x00 GAD Enhanced for NAS (GEfN) cluster cannot be created unless it is licensed. |
| D147379 | D | Fixes applied for: openssl (CVE-2021-3449, CVE-2021-3450) grub (CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749, CVE-2020-27779, CVE-2021-20225, CVE-2021-20233) libtiff5 (CVE-2020-35523, CVE-2020-35524) |
| D147562 | D | nas-connection-open-file-monitor.rb and nas-connection-request-monitor.rb are once again executable by the manager user on the SMU. |
| D147610 | D | The https://knowledge.hitachivantara.com...tation_Scripts now work again as "manager". |
| D145075 | E | The libxml2 and procmail packages on VSP-G/F have been patched to address security issues DLA-1060-1 and DLA-1173-1. |
| D145836 | E | Fixed an issue that was preventing delivery of total Fibre Channel error statistics to the SMU and other SOAP/REST clients. |
| D145847 | E | The "PAPI route configuration error" event (ID 1529) is no longer raised for transient errors. It is raised if the routing error persists. |
| D145930 | E | Remove the new-battery-fitted command that isn't supported on CapeHorn. |
| D146775 | E | Files created by the root user, notably including updated versions of the SMU code, are now secured as intended with the newly (13.9.6600) tightened default umask. |
| D147177 | E | The tls-cipher-suite-enable command no longer produces the spurious error message "No cipher suites enabled allow for GOST key exchange, certificates using this will not work". |
Fixes and enhancements in version 13.9.6628.07
| Issue ID | Severity | Description |
| D139394 | B | Fixed an issue which could cause a dedupe job to become blocked, or cause issues with file system unmount, EVS migration, and spamming of the event log. |
| D146630 | B | CVE-2021-3156 (Baron Samedit) has been addressed for HNAS 5200/5300 and VSP-N. |
| D146643 | B | CVE-2021-3156 (Baron Samedit) has been addressed for external SMUs. |
| D112456 | C | Fixed a rare instability issue by improving the handling of internal data flow. |
| D136193 | C | Fixed a vulnerability when processing lockd/NLM traffic, generally seen while a file system is in the process of becoming unavailable. |
| D141925 | C | The hardware-based TCP/IP stack now conforms to RFC6528 |
| D142924 | C | Diagnostics for a particular type of metadata issue afflicting dedupe have been improved. |
| D144093 | C | Fixed an issue in ViVol space-tracking whereby use of dedupe could cause incorrect reporting. |
| D144180 | C | Improve diagnostics by retaining boot-time systemd journal content. |
| D144669 | C | An unlikely denial of authentication service to Active Directory users of the SMU CLI has been addressed. |
| D145230 | C | Embedded SMU install has been improved. |
| D145287 | C | Fixed a bug in the space-tracking code which could cause incorrect reporting. The fix does not correct reporting which has already gone awry - that requires administrator action. |
| D145594 | C | Sequential HSR dedupe writes are now aggregated to reduce stress on nbd (network block device). |
| D145596 | C | A disabled EVS can no longer be configured with a loopback address. |
| D145784 | C | CVE-2020-25709 and CVE-2020-25710 have been addressed on the HNAS 5000 series. |
| D145932 | C | Fixed a possible stability issue caused by Fibre Channel link trauma. |
| D140970 | D | The external SMU now uses CentOS's password strength checks. |
| D143214 | D | checkfs has been enhanced to be more responsive to the checkfs --abort command for dedupe-supported file systems. |
| D143257 | D | Improve diagnostics by collecting systemd journal content. |
| D143668 | D | Changed the way the SMU maps Active Directory user/group SIDs to UID/GIDs for CLI access in order to allow access for users from different sub-domains in an Active Directory forest. |
| D144205 | D | Tomcat version on the SMU upgraded from 8.5.16 to 8.5.58. |
| D144255 | D | SSH access for Active Directory users is now supported when Global Catalog is configured with Entire Directory search base. |
| D144388 | D | Fixed an issue that caused a slow login to SMU CLI for Active Directory users. |
| D144493 | D | Fixed an issue that caused a slow login to SMU CLI for Active Directory users. |
| D144510 | D | CLI access for Active Directory users is now supported for Global Catalog configuration. Access via primary group is not supported. |
| D144525 | D | Access to the SMU GUI can now be granted to Active Directory users using primary groups, both directly and indirectly. In most cases, primary groups are still not supported for SSH access. |
| D144540 | D | When configuring the SMU for Active Directory authentication, all valid punctuation is now supported in the user and group base DN (distinguished name) fields. |
| D144935 | D | In order to improve login performance for Active Directory users, files created by regular SMU CLI users like "manager" will not, by default, have group write permission. |
| D145111 | D | The erroneous quota-update event raised by DoFSDFailure has been fixed. |
| D145523 | D | TLS certificates with an externally generated private key, like wildcard certificates, can now be imported by the HNAS CLI. |
| D145699 | D | The performance-sapping warning "FSA/T2_FSA_MAP/dwb_failed_to_provide_tier0_read_ahead_cursor" no longer happens spuriously. If an avoidance has previously been applied, then "unset fsa-dont-fix-d138154" before upgrading to a fixed version to avoid a needless performance impact. |
| D145724 | D | The SMU no longer routinely gives away version information about its web server to a potential attacker. |
| D145747 | D | The SMU's protection against being attacked by an authenticated user's browser has been increased. |
| D145775 | D | Old ssh clients, in particular the one on HNAS 3000/4000 series servers, can no longer ssh to an external SMU in its default configuration, due to the retirement of hmac-sha1 through security concerns. |
| D145926 | D | When logging in to the external SMU, whether through the GUI or the CLI, a user is now presented with a default banner. |
| D145994 | D | The use of certain file system types are no longer allowed on the SMU. |
| D145999 | D | SMU passwords can now only be changed once per week (to prevent subversion of security policy by cycling through passwords quickly). |
| D146016 | D | Security has been tightened on the cron configuration on the external SMU, such that only root can access it. |
| D146102 | D | Enabled the HNAS 5200 and HNAS 5300 models to form clusters of up to 4 nodes, if licensed to do so. |
| D146352 | D | Security has been tightened on certain kernel parameters on the external SMU, including, for example, IPv4 network configuration. |
| D143084 | E | Active Directory users who are granted access to the SMU via a group whose name contains the '@' symbol, can now log in via SSH. |
| D145060 | E | Nessus is now happier with the external SMU. |
| D145308 | E | Corrected file extensions of the HBA debug dump files from ".txt" to ".bin" in diagnostic bundles. |
| D145519 | E | HTTP Strict Transport Security (HSTS) is now implemented in the SOAP server on port 8443. |
| D145520 | E | TLSv1.0 is disabled for the SOAP server on port 8443 for new installs. To take advantage of the new, recommended defaults, use tls-version-set --default --confirm after upgrading. |
| D145521 | E | SMU HTTPS protocol TLSv1.0 is now disabled by default. This means that if previously TLSv1.0 was enabled it is now disabled. If TLSv1.0 was the only protocol enabled run the script smu-reset-tls-options to restore the default and resume SMU GUI access. |
| D145562 | E | TLSv1.0 is unconditionally disabled for the REST server on port 8444. |
| D145618 | E | Files created on the external SMU are now created with the permissions set so that users not in the same group can't read the file. |
| D145746 | E | Security has been tightened on certain system files on the external SMU, like the password database, so that only root can access it. |
| D145781 | E | Setting a package as the default for a second time on a model 5000 server is now possible. |
| D145909 | E | Fixed an issue in 'ls -v' reporting. |
| D146109 | E | The etc-bashrc-tmout setting now logs out users of the SMU CLI after 10 minutes of inactivity. |
| D146120 | E | Correct the reporting of the server's serial number on HNAS 5000 series servers. |
Fixes and enhancements in version 13.9.6420.13
| Issue ID | Severity | Description |
| D145923 | B | ECC is now enabled for the NV memory in HNAS 5000 series servers in all code paths. |
| D145818 | C | Enable the Power-On Self-Test (POST) on HNAS 5000 series servers. |
Fixes and enhancements in version 13.9.6420.10
| Issue ID | Severity | Description |
| D144544 | B | Update for CVE-2020-1472 "Netlogon Elevation of Privilege Vulnerability". Add support for secure RPC for NetLogon connections. |
| D142004 | C | Updated the Debian operating system NTP service to resolve these vulnerabilities CVE-2016-7431 CVE-2016-7433 |
| D142488 | C | When restoring registry from an HNAS 3000/4000 series server onto an HNAS 5000 series server, incompatible management users are discarded and existing management users are preserved. |
| D143807 | C | Protection against stalled requests between the SMU and Bali components of HNAS has been restored. |
| D144183 | C | An issue causing slowness and timeouts in the SMU's NAS Manager, particularly on virtual SMUs with just 2 GiB of RAM, has been corrected. |
| D144188 | C | Fixed an incorrect source IP address in the Linux routing after migration of the Admin EVS. |
| D144511 | C | Fixed a warning event "PAPI housekeeping failed in MgmntUser" following installation. |
| D144530 | C | Fixed a failure to bring up a management network link in rare circumstances. |
| D144607 | C | The telnet server, already disabled by default, has been removed. |
| D145009 | C | Updated the Debian operating system GRUB packages to resolve security bug CVE-2020-10713. |
| D145684 | C | An extra warning assert added to the PCIe interface is being triggered erroneously by a bug in the Intel PCIe IP. The assert has been downgraded to a no_event warning, so it is no longer logged in the event log. |
| D141165 | D | Corrected a potential Fibre Channel protocol violation when aborting non-FPGA-accelerated exchanges. |
| D143226 | D | Added support for new storage platforms VSP E790 and VSP E590. |
| D143252 | D | CVE-2020-1967 has been addressed. |
| D143597 | D | The OpenSSL libraries linked into Bali and Bart were upgraded to version 1.1.1g. |
| D143649 | D | The SMU GUI may now allow login for Active Directory users that failed earlier with a referral error, by retrying using the next AD server. |
| D143755 | D | Some security vulnerabilities in the SMU's Linux distribution have been patched. (CESA-2020:2383) - CVE-2020-8616 - CVE-2020-8617 (CESA-2020:2430) - CVE-2017-12192 |
| D143913 | D | Fixed an issue to allow user to log in to SMU in a case where one of the Active Directory base DNs doesn't exist. |
| D143920 | D | Support added for the Finisar FTLX1475D3BCV optic. |
| D144561 | D | Upgrading the SMU to 13.9.6400 or higher is recommended before attempting to manage the new HNAS 5000 series. |
| D145066 | D | The default self-signed TLS/SSL certificate has been enhanced to support https://support.apple.com/en-us/HT210176. The certificate will need to be recreated. |
| D142175 | E | The ver command has been updated to ensure the server's WWN is reported. |
| D143521 | E | Fixed an issue that in rare cases could stop Data Migrator to cloud migrations prematurely. |
| D143956 | E | Changing the length of a file by more than 20 GiB once again records the IP address of the NFS or SMB client. |
| D143984 | E | Made improvements to fc-ports -v command, reporting the vendor name in more circumstances. |
| D144184 | E | Protection against stalled requests between the Cloud Gateway and Bali components of HNAS has been restored. |
| D144552 | E | On HNAS 5000 series servers, by default, the hostname is set to the server serial number. This will be reflected in the console prompt. |
New, modified, and deleted CLI commands
See the NAS man pages for details on the new commands.
New commands
The following commands have been added. See the NAS man pages for details on these commands.
· nvdimm-status - This Supervisor level command shows the NVDIMM status.
· nvi-load - This Supervisor level command shows information about the NVI FPGA load.
· nvi-profile - This Supervisor level command profiles the nvic1 state machines.
· nvi-stats-control - This Supervisor level command controls nvic1 statistics.
· rest-server-mode - This Supervisor level command allows switching between the legacy Metro/Puma REST API and the new native REST API.
Modified commands
The following commands have been modified. See the NAS man pages for details on these commands.
· apikey-update - A new option --add-access allows specific access level to be associated with an API key. A new option --remove-access allows levels of access to be removed from an API key.
· tls-certificate-import-signed - A new option, --with-private-key, was added that allows a CA signed certificate with a trusted chain and with a private key to be added to HNAS server.
Deleted commands
None
Copyrights and licenses
© 2021 Hitachi, Ltd. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including copying and recording, or stored in a database or retrieval system for commercial purposes without the express written permission of Hitachi, Ltd., or Hitachi Vantara Corporation (collectively “Hitachi”). Licensee may make copies of the Materials provided that any such copy is: (i) created as an essential step in utilization of the Software as licensed and is used in no other manner; or (ii) used for archival purposes. Licensee may not make any other copies of the Materials. “Materials” mean text, data, photographs, graphics, audio, video and documents.
Hitachi reserves the right to make changes to this Material at any time without notice and assumes no responsibility for its use. The Materials contain the most current information available at the time of publication.
Some of the features described in the Materials might not be currently available. Refer to the most recent product announcement for information about feature and product availability, or contact Hitachi Vantara Corporation at https://support.hitachivantara.com/e...ontact-us.html.
Notice: Hitachi products and services can be ordered only under the terms and conditions of the applicable Hitachi agreements. The use of Hitachi products is governed by the terms of your agreements with Hitachi Vantara Corporation.
By using this software, you agree that you are responsible for:
1) Acquiring the relevant consents as may be required under local privacy laws or otherwise from authorized employees and other individuals; and
2) Verifying that your data continues to be held, retrieved, deleted, or otherwise processed in accordance with relevant laws.
Notice on Export Controls. The technical data and technology inherent in this Document may be subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Reader agrees to comply strictly with all such regulations and acknowledges that Reader has the responsibility to obtain licenses to export, re-export, or import the Document and any Compliant Products.
Hitachi and Lumada are trademarks or registered trademarks of Hitachi, Ltd., in the United States and other countries.
AIX, AS/400e, DB2, Domino, DS6000, DS8000, Enterprise Storage Server, eServer, FICON, FlashCopy, GDPS, HyperSwap, IBM, Lotus, MVS, OS/390, PowerHA, PowerPC, RS/6000, S/390, System z9, System z10, Tivoli, z/OS, z9, z10, z13, z14, z/VM, and z/VSE are registered trademarks or trademarks of International Business Machines Corporation.
Active Directory, ActiveX, Bing, Excel, Hyper-V, Internet Explorer, the Internet Explorer logo, Microsoft, the Microsoft Corporate Logo, MS-DOS, Outlook, PowerPoint, SharePoint, Silverlight, SmartScreen, SQL Server, Visual Basic, Visual C++, Visual Studio, Windows, the Windows logo, Windows Azure, Windows PowerShell, Windows Server, the Windows start button, and Windows Vista are registered trademarks or trademarks of Microsoft Corporation. Microsoft product screen shots are reprinted with permission from Microsoft Corporation.
All other trademarks, service marks, and company names in this document or website are properties of their respective owners.
Copyright and license information for third-party and open source software used in Hitachi Vantara products can be found at https://www.hitachivantara.com/en-us...any/legal.html.