The present invention relates to a storage control system, where storage controllers and host computers are connected via a communication network, for controlling access between targets in the storage controllers and initiators in the host computers. The present invention also relates to a storage controller used in this storage control system.
Storage area networks (SANs), where storage controllers and host computers, which are front-end apparatuses relative to the storage controllers, are connected to each other via a Fibre Channel, are well known. Lately, an IP-SAN, which constructs a SAN using an IP network instead of Fibre Channel, has been proposed in order to achieve SAN objectives such as long distance connection. An IP-SAN enables communication using the iSCSI (Internet SCSI) as a communication protocol.
In IP-SANs, a storage controller connected to a communication network is sometimes accessed from an indefinite number of nodes that are connected to the same network as well as different networks. Therefore, enhancing security by controlling access between initiators, units issuing I/O commands; and targets, units receiving the I/O commands on the network is an object that should be achieved.
One example that achieves the above object is disclosed in Japanese Patent Laid-Open (Kokai) Publication No. 2002-63063. This publication discloses a storage area network management system. In the management apparatuses are connected via a switch, has an integrated management mechanism for performing integrated control of the storage area network. The integrated management mechanism, having information on access paths between the host computers and the storage apparatuses, notifies storage area network management mechanisms in the host computers of management information for the storage apparatuses based on the access path information. It also notifies an area setting mechanism in the switch of area information and notifies storage management mechanisms in the storage apparatuses of access control information for the host computers.
Meanwhile, Japanese Patent Laid-Open (Kokai) Publication No. 2001-265655 discloses a storage sub system for realizing a LUN security function, which is to prevent unauthorized accesses by limiting accessible logical units (LUN) for each host computer. The storage sub system has: one or more storage apparatuses in which one storage area corresponds to one or more logical units; a storage controller for controlling data reading and writing from and to the storage apparatuses: a management table for managing the logical units: and a memory for storing the management table. The management table includes: information for identifying the host computers: identification numbers for specifying logical units that the host computers are allowed to access; and virtual identification numbers that correspond to the logical unit identification numbers and correspondence relationships therebetween. The storage sub system determines whether to permit or deny host computer access by referring to the management table, especially the information for identifying the host computers.
In a communication network using iSCSI as a communication protocol, host computers (initiators) are identified by iSCSI names in order to realize LUN security. Meanwhile, in storage controllers, targets are created via a user interface (for example, a GUI) on a management console. The targets are also assigned iSCSI names. The storage controllers register, in memory, the iSCSI names of initiators that are allowed to access the targets and assign accessible logical units to the targets.
Incidentally, in an IP-SAN system using the iSCSI protocol, host computers and storage controllers do not have means for finding (“discovery”) connection destinations. Moreover, they do not have a function for notifying an indefinite number of devices on the network of iSCSI names.
If the host computers (initiators) know the IP addresses and TCP port numbers of the storage controllers (targets), they can obtain the iSCSI names of the targets. However, the iSCSI protocol does not provide a function for enabling the storage controllers (targets) to obtain the iSCSI names of the initiators. Accordingly, a storage controller administrator needs to set iSCSI name(s), set in host computer(s), in the storage controller. An iSCSI name consists of 223 letters at the maximum; therefore, manual setting of an iSCSI name may result in problems such as input mistakes.
One solution for the problem is to use an iSNS server service. An iSNS server has a function for classifying iSCSI initiators and iSCSI targets into groups called discovery domains, and provides the service of delivering the classification information to the initiators and the targets. With the iSNS server service, the initiators are informed of accessible targets. In order to realize this service, the iSCSI initiators and the iSCSI targets are registered as iSNS clients at the iSNS server. Based on the information registered by the clients, an iSNS server administrator creates discovery domains and registers the initiators and targets at the iSNS server while making groups with initiators and targets he/she intends to combine. Accordingly, an initiator is allowed to access an intended target based on the information from the iSNS server even if it is not informed of the IP address and the TCP port number of the intended target.
However, although setting of access relationships between the initiators and targets is easily performed by the iSNS server service, a storage controller administrator still has to set the correspondence relationships between the targets and initiators, the LUN security being set for both, separately from setting the correspondence relationships at the iSNS server. Consequently, if there is a time lag between setting at the iSNS server and setting of the LUN security in the storage controller, access settings in the iSNS server and that in the storage controller do not match.
Thereupon, it is an object of the present invention to provide a storage control system that can solve the problem by integrating the setting of access between initiators and targets connected to a communication network and the setting of LUN security for the targets. Another object of the present invention is to provide a storage control system which enables the reflection of the access settings in the iSNS server in the LUN security settings in a storage controller. Yet another object of the present invention is to provide a storage control system that can set, in the targets, identification information for the initiators without fail. Still another object of the present invention is to provide a storage controller for that storage control system.