Oracle Solaris 10 and Oracle Solaris 11 come with a Fiber Channel initiator system that you can configure to use Fiber Channel (FC) provided by Sun ZFS
Storage appliances LUNs are integrated into the Oracle Solaris environment. This article describes how to configure an Oracle Solaris Fiber Channel system and how to configure
Sun ZFS Storage Appliance to configure FC LUNs for access by Oracle Solaris servers. These configurations can be accomplished using the browser user interface (BUI).
This article makes the following assumptions:
The root account password for the Sun ZFS Storage Appliance is known.
The IP address or hostname of a known Sun ZFS storage appliance.
The network used by the Sun ZFS storage appliance has been configured.
The Sun ZFS Storage Appliance is configured with a storage resource pool with sufficient free space available.
The root account password for the Oracle Solaris server is known.
The Sun ZFS storage appliance is connected to the Fiber Channel switch.
Zones have been configured on the FC switches to allow Oracle Solaris hosts to access the Sun ZFS Storage Appliance.
Configuring Oracle Solaris FC Systems
In order for Sun ZFS storage devices and Oracle Solaris servers to identify each other, an FC Worldwide Number (WWN) for each device is required
Register in another device. You must determine the WWN of some form of FC zone implemented on the FC switch.
The host's FC WWN is used to identify the host to the Sun ZFS Storage Appliance and is required to complete the configuration procedures in this article.
WWNs come from FC host bus adapters (HBAs) installed in Oracle Solaris hosts and Sun ZFS Storage Appliances.
In order to configure an Oracle Solaris FC system, you need to know the WWN of the Sun ZFS storage appliance. In a traditional dual-fabric storage area network (SAN), the Sun
ZFS storage appliance has at least one FC port connected to each fabric. Therefore, you must identify at least two FC WWNs.
Identifying the Sun ZFS Storage Appliance FC WWN
First, you need to establish a management session to the Sun ZFS Storage Appliance.
Enter an address containing the IP address or hostname of the Sun ZFS Storage Appliance, as shown in the following URL, into the address bar of your Web browser:
https://lt; ip-address or host name>:215
The login dialog box will be displayed.
Enter your username and password, then click LOGIN.
After successfully logging into the BUI, you can identify the WWN through the Configuration tab.
Click Configuration > SAN > Fiber Channel
Ports.
The FC ports installed in the Sun ZFS Storage Appliance are displayed. Since there is only one discovered port per HBA channel, this must be the HBA channel itself.
In the previous example, port 1 has WWN 21:00:00:e0:8b:92:a1:cf and port 2 has WWN
21:01:00: e0:8b:b2:a1:cf.
In the list box to the right of each FC port box, the FC channel port should be set to Target. If this is not the case, the FC
ports may be used for other purposes. Do not change settings until you investigate the cause. (One possible cause is that NDMP backup may be used.)
Identify the Oracle Solaris host HBA WWN
If the Oracle Solaris host is already connected to the FC switch with the appropriate cables, then Use the following command to identify the WWN.
To obtain the host's WWN, enter the following command:
root@solaris:~# cfgadm -al -o show_FCP_dev
root@solaris:~#
In this output, the controller numbers you want are c8 and c9. When the port type is
fc-fabric, you can also see that both ports are connected to an FC switch. Next, these controllers are queried to determine the discovered WWNs.
If the HBA port is not used to access any other FC-connected device, you can use the following command to determine the WWN.
root@solaris:~# prtconf -vp | grep port-wwn
port-wwn: 210000e0.8b89bf8e
port-wwn: 210100e0.8ba9bf8e
root@solaris:~#
If you are accessing an FC device, the following command will display the FC HBA WWN.
root@solaris:~# luxadm -e dump_map /dev/cfg/c8
root@solaris:~#
Displayed as the last one of type 0x1f Entry (Unknown type, Host Bus Adapter)
The corresponding WWN is provided under the port WWN entry. Repeat this command, replacing
/dev/cfg/c8 with the other controller identified in step 1.
From the output, you can see that c8 has WWN
21:00:00:00:e0:8b:89:bf:8e, c9 has WWN
21:01:00:e0:8b:a9:bf:8e.
Any FC switch zone can then be configured using Sun ZFS Storage Appliance HBAs and Oracle Solaris host HBA WWNs.
After completing this, you can run the following command to verify the correct zone:
root@solaris:~# cfgadm -al -o show_FCP_dev c8 c9
root@solaris:~#
You can now see the WWNs provided by the Sun ZFS Storage Appliance that can be accessed by the Oracle Solaris host.
Configuring Sun ZFS Storage Appliance using the browser user interface
As a unified storage platform, Sun ZFS Storage Appliance supports both block protocol access through iSCSI protocol
LUN, which in turn supports the same access via Fiber Channel protocol. This section describes how to use the Sun ZFS Storage Appliance BUI to configure the Sun ZFS Storage Appliance to recognize an Oracle
Solaris host and present FC LUNs to the host.
Defining FC target groups
Create target groups on the Sun ZFS Storage Appliance to define the ports and protocols through which the Oracle Solaris server can access the LUNs presented to it. For this example, create the FC
target group.
Perform the following steps to define the FC target group on the Sun ZFS Storage Appliance:
Click Configuration > SAN to display the Storage Area Network (SAN)
Screen
Click the Targets tab on the right and select Fiber Channel at the top of the left panel
Ports
Place your mouse in the Fiber Channel Ports box and click A Move icon () appears on the far left
Click the Move icon and drag this box to the Fiber Channel Target
Groups box, as shown in Figure 4.
Drag the entries in the orange box to create a new target group. The group is created and automatically named targets-n, where
n is an integer.
Move the cursor over the new target group entry. Two icons will appear to the right of the Fiber Channel Target Groups box
To rename the new target group targets-0, click the Edit icon () to display the dialog box
In the Name field , replace the default name with the preferred name of the new FC target group and click OK. In this example replace
targets-0 with the name FC-PortGroup. In this window you can also add a second FC target port by clicking the box to the left of the selected WWN. The second port is identified as PCIe 1: Port 2.
Click OK to save changes.
Click APPLY. The changes above are shown in the Fiber Channel Target Groups
panel.
Define FC Initiators
Define FC Initiators to allow access to specific volumes from one or more servers. Access permissions to volumes should be configured to allow a minimum number of FC
initiators to access a specific volume. If multiple hosts can write to a given volume simultaneously and use a non-shared file system, the file system cache on each host may become inconsistent, which may ultimately lead to a corrupted image on the disk. Generally, for a volume, only one initiator will be granted access to the volume, unless a special cluster file system is used.
The FC initiator is used to define a "host" from the perspective of the Sun ZFS Storage Appliance. In a traditional dual-fabric SAN, a host will be defined by at least two FC initiators. FC
The initiator definition contains the host WWN.
In order to identify an Oracle Solaris server to a Sun ZFS storage appliance, the Oracle Solaris FC
initiator WWN must be registered with the storage appliance, by performing the following steps.
Click Configuration gt; SAN Display Storage Area Network (SAN)
Screen
Click the Initiators tab on the right and select the top of the left panel Fiber Channel
Initiators
Click the icon to the left of Fiber Channel Initiators to display the New Fiber Channel Initiator dialog box
If the zone has been configured on the FC switch , the WWNs of the Oracle Solaris hosts should be displayed (assuming no aliases are specified for them).
Click a WWN at the bottom of the dialog box (if displayed) to prepopulate the world wide name, or type the appropriate
WWN in the World Wide Name box.
Enter a more meaningful symbol name in the Alias ??box.
Click OK.
Repeat the previous steps for other WWNs involving Oracle Solaris hosts.
Define FC initiator group
Group some related FC initiators into logical groups, so that the same command can be executed on multiple FC initiators. For example, you can use one command to All FC initiators in the group are assigned LUN
access rights. For the example below, the FC initiator group will contain two initiators. Note that in a cluster, multiple servers are considered one logical entity, so an initiator group can contain more initiators.
Perform the following steps to create an FC initiator group:
Select Configuration > SAN to display the Storage Area Network (SAN)
screen.
Select the Initiators tab on the right and click Fiber Channel
Initiators at the top of the left panel.
Place the cursor over one of the FC initiator entries created in the previous section. At this point, a Move icon () will appear to the left of the entry. Click and drag the Move icon to the Fiber Channel Initiator
Groups panel on the right. At this point, a new entry appears at the bottom of the Fiber Channel Initiators Groups panel (highlighted in yellow)
Move the cursor over the new entry box and release the mouse button. A new FC initiator group is created with the group name
initiators-n, where n is an integer, as shown in Figure 13
.
Move the cursor over the new initiator group entry. Several icons will appear on the right side of the target initiator group box
Click the Edit icon () to display the dialog box
In the Name field, replace the default name of the new initiator group For the selected name, click OK. This example uses
sol-server as the initiator group name.
In this dialog box, you can add additional FC initiators to the group by clicking the checkbox to the left of the WWN.
Click APPLY in the SAN configuration screen to confirm all changes, as shown in Figure 15.
Defining a Sun ZFS Storage Appliance Project
To group related volumes, you define a project in the Sun ZFS Storage Appliance. By using a project, you can inherit the properties of file systems and LUNs
provided by the project. Limits and reservations can also be applied.
Perform the following steps to create a project:
Select Shares gt; Projects to display the Projects screen
Click the icon to the left of Projects at the top of the left panel to display
Create Project Dialog
To create a new project, enter the project name and click APPLY. A new project appears in the Projects list on the left panel.
Select this new project to view its included components
Define a Sun ZFS Storage Appliance LUN
Next, you will create a A LUN accessible to the Oracle Solaris server. In the following example, a thin-provisioned 64 GB LUN named
DocArchive1 is created.
We will use the FC target group created in the Define FC target group section
FC-PortGroup to ensure that the LUN is accessible through the FC protocol. The initiator group sol-server defined in the Define FC
Initiator Group section will be used to ensure that only servers defined in the sol-server
group can access the LUN. (In this example, the initiator group contains only one server.)
Perform the following steps to create a LUN:
Select Shares > Projects to display the Projects screen.
In the Projects panel on the left, select the project. Then select LUNs at the top of the right panel
Click the icon to the left of LUNs to display the Create LUN
dialog box, as shown in Figure 20.
Enter appropriate values ??to configure this LUN. For this example, set the Name to
DocArchive1, the Volume size to 64 G, and select the
Thin provisioned checkbox. Set Target Group to FC Target Group
FC-PortGroup and Initiator Group to
sol-server. Set the Volume block size to
32k because this volume will hold the Oracle Solaris ZFS file system.
Click APPLY to create the LUN for use by the Oracle Solaris server.
Configuring the LUN for use by the Oracle Solaris server
Now that we have the LUN ready for use through the FC initiator group. You must then perform the following steps to configure the LUN for use by the Oracle Solaris server:
Initiate an Oracle Solaris FC session to the Sun ZFS Storage Appliance, as shown in Listing 1. Since the LUN was created before initiating the FC session, the
LUN will be enabled automatically.
Listing 1. Initiating an Oracle Solaris FC session
root@solaris:~# cfgadm -al c8 c9
root@solaris:~# cfgadm -c configure c8::210100e08bb2a1cf
root@solaris:~# cfgadm -c configure c9::210000e08b92a1cf
root@solaris:~# cfgadm -al -o show_FCP_dev c8 c9
root@solaris:~#
Verify access to the FC LUN, as shown in Listing 2.
Listing 2. Verifying access to FC LUN
root@solaris: ~# devfsadm -c ssd
root@solaris: ~# tail /var/ adm/messages
[...]
[...]
In this example, the multipath status initially shows degraded because at this time Only one path was identified. Further, the multipath status changes to
optimal because there are multiple paths to the volume.
Disk devices are now also available for internal server disks.
Format the LUN as shown in Listing 3.
List 3. Format LUN format
root@solaris:~# format
Searching for disks...done
c1t600144F0F05E906C00004ED6096D0001d0 : configured with capacity of 63.93GB
AVAILABLE DISK SELECTIONS:
[...]
Specify disk (enter its number): 4
selecting c1t600144F0F05E906C00004ED6096D0001d0
[disk formatted]
Disk not labeled. Label it now? y
FORMAT MENU:
disk - select a disk
type - select (define) a disk type
partition - select (define) a partition table
current - describe the current disk
format - format and analyze the disk
repair - repair a defective sector
label - write label to the disk
analyze - surface analysis
defect - defect list management
backup - search for backup labels
verify - read and display labels
save - save new disk/partition definitions
inquiry - show vendor, product and revision
volname - set 8-character volume name
!lt; cmdgt; - execute lt; cmdgt;, then return
quit
formatgt; q
Build the Oracle Solaris ZFS file system on the prepared LUN, create a new ZFS for this pool, add the device to the ZFS pool, and create a ZFS
file system, as shown in the example in Listing 4.
Listing 4. Building the Oracle Solaris ZFS file system
root@solaris:~# zfs createzpool create docarchive1 \
c1t600144F0F05E906C00004ED6096D0001d0
root @solaris:~# zfs list
[...]
root@solaris:~# zfs create docarchive1/index
root@solaris:~# zfs create docarchive1/data
root@solaris:~# zfs create docarchive1/logs
root@solaris:~# zfs list
[...]
The last two lines of output from the df(1) command indicate that approximately 64 GB of new space is now available. Reprinted for reference only, the copyright belongs to the original author. I wish you a happy day, please adopt it if you are satisfied
Security of FC and IP networks
Whether it is Fiber Channel or IP network, the main potential threat comes from unauthorized access, especially the management interface . For example, fraudulent entry can be achieved once the administrator of a server connected to a storage area network (SAN) has gained access. In this way, the intruder can access any system connected to the SAN. Therefore, no matter which storage network is used, it should be recognized that applying adequate permission control, authorized access, and signature authentication policies are crucial to preventing security vulnerabilities.
Error testing attacks are also easier to implement in IP networks than in Fiber Channel SANs. For this type of attack, more complex encryption algorithms are generally used.
Although DoS seems to be rare, it does not mean that it is impossible. However, if you want to implement a DoS attack on a Fiber Channel SAN, it is not possible with ordinary hacker software, because it often requires more professional security knowledge.
Methods to implement SAN data security
The two basic security mechanisms to ensure SAN data security are zoning and logical unit value (Logical Unit Number) masking.
Zoning is a method of zoning. Through this method, certain storage resources are visible only to authorized users and departments. A partition can consist of multiple servers, storage devices, subsystems, switches, HBAs, and other computers. Only members in the same partition can communicate with each other.
Partitioning is often implemented at the exchange level. According to the implementation method, it can be divided into two modes, one is hard partition and the other is soft partition. Hard zoning refers to formulating a zoning strategy based on switch ports. All attempts at communication through unauthorized ports are prohibited. Since hard partitioning is implemented in the system circuit and executed in the system routing table, it has better security than soft partitioning.
In Fiber Channel networks, soft zoning is based on the wide area naming mechanism (WWN). WWN is a unique identification number assigned to fiber optic equipment in the network. Since soft partitioning uses software to ensure that the same WWNs do not appear in different partitions, soft partitioning technology has better flexibility than hard partitioning, especially in applications where network configurations change frequently. Administrative.
Some switches have a port binding function, which can restrict network devices to communicate only through predefined switch ports. Using this technology, access restrictions to storage pools can be implemented to protect the SAN from unauthorized users.
Another widely adopted technology is LUN masking. A LUN is a SCSI identification mark of a logical unit within a target device (such as tape and disk array).
In the field of Fiber Channel, LUN is implemented based on the WWN of the system.
LUN masking technology allocates LUNs to host servers, and these servers can only see the LUNs assigned to them. If there are many servers trying to access a specific device, the network administrator can set a specific LUN or LUN group to be accessible, thereby denying access to other servers to protect data security. Various forms of LUN shielding technology can be implemented not only on hosts, but also on HBAs, storage controllers, disk arrays, and switches.
If partitioning and LUN technology can be applied to the network and its equipment together with other security mechanisms, it will be very effective for network security and data security.
The industry’s approach to storage security
Although there is currently no clear conclusion as to which level of equipment is optimal to apply storage security control. For example, IPSec can be used on ASIC, It is implemented on VPN equipment, home appliances and software, but many merchants have implemented encryption and security authentication functions in their data storage products.
IPSec can also play a certain role in other security issues based on IP protocols, such as Internet Small Computer Interface (iSCSI), Fiber Channel over IP (FCIP), and Internet Fiber Channel (IFCP). The role of.
Commonly used security authentication, authorized access and encryption mechanisms include Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial-In User Service (RADIUS), and Enhanced Terminal Access Controller Access Control System (TACACS), Kerberos, Triple DES, Advanced Encryption Standard (AES), Secure Socket Layer (SSL), and Secure Shell (SSH).
Although the security mechanisms of SAN and NAS have many similarities, there are actually differences between them. Many NAS systems not only support SSH, SSL, Kerberos, RADIUS and LDAP security mechanisms, but also support access control lists (ACLs) and multi-level permissions. A very important factor here is file locking. There are many product vendors and systems that implement this technology in different ways. For example, Microsoft uses hard locking, while Unix-based systems use relatively loose advisory-level locking. It can be seen that if it is used in a Windows-Unix mixed environment, it will cause certain problems.
Call for storage security standardization
The foundation of SAN security lies at the switch layer. Therefore, the impact of storage switch standards on the way networking product manufacturers deliver technology is critical.
The storage security standardization process is still in its infancy. ANSI established the T11 Fiber Communications Security Protocol (FC-SP) working group to design a framework for security standards for storage network infrastructure. Several protocol drafts have been submitted, including the FCSec protocol, which integrates IPSec and optical fiber communications; a version of the Challenge Handshake Authentication Protocol (CHAP) for optical fiber communications; the Switched Linkage Authentication Protocol (SLAP) ) uses digital authentication to enable multiple switches to authenticate each other; Fiber Communications Authentication Protocol (FCAP) is an extension protocol of SLAP. The IEEE's Storage Security Working Group is preparing to develop a proposal to standardize encryption algorithms and methods.
The Storage Networking Industry Association (SNIA) established the Storage Security Industry Forum (SSIF) in 2002. However, since different product vendors support different protocols, there is still a long way to go to achieve interoperability between protocols. Some way to go.
Pay attention to storage switching security
Everyone has noticed that in order to ensure storage security, the same security warning mechanism should be applied to storage switches and other switches in the enterprise network. Therefore, for Storage switches should also have some special requirements.
One of the most important aspects of storage switching security is to protect the fiber management interface. If the management console does not have good security measures, an unauthorized user may intentionally or unintentionally invade the system or change the system configuration. There is a distribution lock manager that prevents this kind of thing from happening. Users need to enter the ID and encrypted password to access the management interface of the switch fiber. In order to protect the management port of the SAN device through the security authentication mechanism, it is best to centralize the SAN configuration management and encrypt the communication between the management console and the switch. On the other hand, before connecting the switch to the optical network, authorized access and security authentication should also be implemented through ACL and PKI mechanisms. Therefore, links between switches should be established under strict security precautions.