Managed Host Security
Hitachi Storage Viewer Data Collector requires read-only access to execute non-intrusive commands on hosts. These commands are described in the following sections, for both Windows Servers and Linux environments. It is strongly recommended that a separate login account used strictly for Hitachi Storage Viewer be established and using Active Directory for Windows systems and the sudo command for Linux systems, restrict the commands that Hitachi Storage Viewer can issue. This best practice approach has proven successful in the deployment of Hitachi Storage Viewer at a very large, secure U.S. government agency with extremely stringent security requirements.
Microsoft Windows
Communication: The Hitachi Storage Viewer Data Collector communicates with Windows hosts through the native Windows Management Instrumentation service (WMI). WMI uses the Distributed Component Object Model (DCOM) to communicate and DCOM dynamically allocates the port numbers for clients. DCOM’s service typically runs on port 135 and any client communicating with a host connects on this port. Then, the DCOM service allocates the specific port for the WMI service. More information on DCOM and WMI can be found here: http://msdn.microsoft.com/en-us/library/aa389290(VS.85).aspx. In addition, any hosts that have a Host Bus Adapter (HBA) need to have either HBA management software or fcinfo installed. See http://www.microsoft.com/downloads/details.aspx?FamilyID=73d7b879-55b2-4629-8734-b0698096d3b1&displaylang=en
Authentication: WMI uses NTLM authentication. Due to security restrictions imposed by Microsoft on the Plug and Play manager, the Hitachi Storage Viewer Data Collector requires an account in the local administrator’s group and uses Active Directory to restrict command execution.
LINUX
Communication: The Hitachi Storage Viewer Data Collector communicates with Linux hosts via SSH and SSH2. If SSH is unavailable, the Data Collector will attempt to connect using telnet. By default, SSH uses TCP port 22 and Telnet uses TCP port 23.
Authentication: To access the volume managers and HBA APIs, the Data Collector needs to run privileged commands. If a root user is unavailable, the Hitachi Storage Viewer Data Collector can use pbrun, sudo, or similar technologies to temporarily elevate privileges.