Manualshelf

HP Adaptive Infrastructure Solution Security for BladeSystem Matrix

ManualsBrandsHP ManualsSoftwareHP Insight Server Migration X2X Unlimited Migration 1yr Supp/Updates SW License
21222324252627282930
connect c-Class blade. In this case NPIV is used to give the virtual machine access to data on a
storage array through the shared enclosure uplink. In addition, this approach allows a storage
administrator to monitor and route storage access on a per virtual machine basis.
A further use of NPIV is possible with BladeSystem Matrix. A storage administrator can pre-define a
set of data LUNs within the SAN. Each data LUN is presented to one or more initiator WWNs. The
initiator WWNs represent a server key that is pre-zoned and pre-presented within the SAN. The
server administrator is then granted access to this set of “keys” (and only this set). The pre-presented
LUNs serve as a storage pool from which the server administrator operates without further storage
administrator interaction. When provisioning a LogicalServer, the server administrator chooses one or
more of the pre-presented LUNs from the storage pool and requests that BladeSystem Matrix give the
server access to the LUNs. BladeSystem Matrix will examine the initiator WWNs that have been pre-
assigned to the LUNs and, in turn, assign these WWNs to the target server. This action results in the
server gaining access to the LUNs within the SAN. Access is constrained by the content of the storage
pool (which the storage administrator ultimately controls). The server provisioning activity involves no
modification of the SAN and, perhaps more importantly, does not require access to any of the SAN
fabric management interfaces. The server administrator is able to leverage a greater degree of
Logical server provisioning flexibility while still carefully maintaining the role and management
process separation which exists between the server and storage administrator’s domains.
Disk Array Storage
The BladeSystem Matrix solution is designed to work with shared storage, utilizing Fibre Channel to
connect the storage fabric components. The HP Enterprise Virtual Array (EVA) provides the virtualized
storage environment for the BladeSystem Matrix solution. The CommandView EVA software, which
runs on a Windows operating system, is used to configure and proactively manage EVAs across
distributed SANs. CommandView also supports the SMI-S (Storage Management Initiative –
Specification) standard of web based APIs to interact with and manage the EVAs.
The CommandView EVA software can be transparently accessed through single sign on from the
HP SIM CMS. The user accessing CommandView through the CMS will be given administrator
(read/write) rights in CommandView. For additional security Windows allows you to limit the users
that can access a specific port on the CMS. This IP address filtering can prevent rogue users from
trying to hack the CommandView username/password. The EVA can be configured with an optional
password. The same password must be entered into CommandView EVA. This prevents someone from
installing CommandView EVA on a rogue server and gaining access to the array configuration.
In many environments co-location of CommandView with HP SIM, on a Windows CMS, can reduce
your security efforts. This reduction in effort is due to only a single machine that needs to be secured.
The CommandView EVA software integrates with Windows Active Directory for centralized
authentication. Two levels of access control are provided through administrator (read/write) and user
(read only) defined roles.
The EVA utilizes Selective Storage Presentation (SSP) to protect against unauthorized storage access
to specific volumes (LUNs). This LUN security is totally transparent to the servers, operating systems
and applications eliminating the need to use precious host cycles to constantly monitor authorization.
The EVA does not provide onboard encryption; however encryption solutions are available to meet
your requirements. You must determine at what point the encryption should be performed. For
instance, if the intent is to protect the data residing on the EVA, the encryption can be performed by a
third party dedicated encryption appliance just in front of the EVA. If the intent is also to protect the
data as it traverses the network, then the encryption can be performed on the host platform (for
example, using a virtual appliance) before being sent over the network. It is important to consider
which data must be encrypted and the potential performance impacts.
23