The present invention relates to a storage control system, where storage controllers and host computers are connected via a communication network, for controlling access between targets in the storage controllers and initiators in the host computers. The present invention also relates to a storage controller used in this storage control system.
Storage area networks (SANs), where storage controllers and host computers, which are front-end apparatuses relative to the storage controllers, are connected to each other via a Fibre Channel, are well known. Lately, an IP-SAN, which constructs a SAN using an IP network instead of Fibre Channel, has been proposed in order to achieve SAN objectives such as long distance connection. An IP-SAN enables communication using the iSCSI (Internet SCSI) as a communication protocol.
In IP-SANs, a storage controller connected to a communication network is sometimes accessed from an indefinite number of nodes that are connected to the same network as well as different networks. Therefore, enhancing security by controlling access between initiators, units issuing I/O commands; and targets, units receiving the I/O commands on the network is an object that should be achieved.
One example that achieves the above object is disclosed in Japanese Patent Laid-Open (Kokai) Publication No. 2002-63063. This publication discloses a storage area network management system. In the management system, a storage area network system, where plural host computers and storage apparatuses are connected via a switch, has an integrated management mechanism for performing integrated control of the storage area network. The integrated management mechanism, having information on access paths between the host computers and the storage apparatuses, notifies storage area network management mechanisms in the host computers of management information for the storage apparatuses based on the access path information. It also notifies an area setting mechanism in the switch of area information and notifies storage management mechanisms in the storage apparatuses of access control information for the host computers.
Meanwhile, Japanese Patent Laid-Open (Kokai) Publication No. 2001-265655 discloses a storage sub system for realizing a LUN security function, which is to prevent unauthorized accesses by limiting accessible logical units (LUN) for each host computer. The storage sub system has: one or more storage apparatuses in which one storage area corresponds to one or more logical units; a storage controller for controlling data reading and writing from and to the storage apparatuses; a management table for managing the logical units; and a memory for storing the management table. The management table includes: information for identifying the host computers; identification numbers for specifying logical units that the host computers are allowed to access; and virtual identification numbers that correspond to the logical unit identification numbers and correspondence relationships therebetween. The storage sub system determines whether to permit or deny host computer access by referring to the management table, especially the information for identifying the host computers.