1. Field of the Invention
The present invention relates to a computer system and a method for updating the authentication information of the computer system.
2. Description of the Related Art
In an organization such as an enterprise, a storage apparatus constituted separately from a host computer (‘host’ hereinbelow) is used in order to manage large amounts of data. For example, in an organization such as a financial institution or hospital, because sales data related to a large number of customers and clinical data and so forth must be stored for long periods, a large-capacity storage apparatus is required.
Combined usage, by a plurality of hosts, of one or a plurality of storage apparatuses rather than each host having a storage apparatus allows the storage areas to be effectively used and allows data to be efficiently managed. Hence, in an organization that handles large-scale data such as an enterprise or data center, for example, SAN (Storage Area Networks) that connect a plurality of hosts and a plurality of storage apparatuses via a network are prevalent.
Former SAN are constituted by using Fibre channel technology that is superior with respect to large-capacity burst transfers. Such SANs are called FC-SANs. An FC-SAN uses a dedicated communication device and cable and so forth that correspond with FCP (Fiber Channel Protocol) and are therefore able to transfer data relatively stably. However, problems such as the fact that a dedicated communication device or the like is highly expensive and that technicians acquainted with FCP are hard to be hired have been pointed out.
Therefore, in recent years, the focus has been on IP-SANs that use the more widely popularized IP (Internet Protocol) networks. In particular, due to the development of the increased speeds and larger capacities of IP networks and also the reduction in the costs of network cards and switches enabling Gigabit-class communications, there has been a focus on the existence of IP-SANs that compare favorably with FC-SANs.
In the case of IP-SANs, for example, a technology that encapsulates SCSI (Small Computer System Interface) commands by means of TCP/IP (Transmission Control Protocol/Internet Protocol) and uses an IP network to send and receive the encapsulated packets is known. This technology is called iSCSI technology. By using iSCSI, a storage apparatus can be directly connected to an IP network.
With iSCSI, a node that requests data processing or the like is called the ‘initiator’ and a node that sends back a response to the requested processing is called the ‘target’. For example, the host is the initiator and the storage apparatus is the target. The initiator and target are specified by identifiers known as iSCSI names. The initiator can use services (storage services) provided by the target by logging on to the target.
By pre-registering the IP address or iSCSI name or the like of the target in the initiator, the initiator is able to open a session with the target. A session is a logical communication channel that is configured in a physical communication channel.
When a session is opened, authentication is performed between the initiator and target. This serves to prevent unauthorized access. Authentication can be performed by at least either one or both of the target and initiator. Authentication is performed on the basis of whether the user name (user ID) and secret (password) reported by the initiator match the user name and secret registered in the target, for example. When both the user name and secret match, access rights are granted. As detailed by RFC (Request for Comments) 3720 8.2.1. or the like, a secret is one type of password information with a value that is from 12 bytes (96 bits) to 16 bytes (128 bits) long.
The iSCSI nodes (target and initiator) are directly connected to an IP network as mentioned above and, therefore, in order to prevent unauthorized access, the secret is preferably updated at regular intervals. Further, although not a technology related to network storage, a technology that allows the passwords of a host and terminal to each be updated by a management device is known (Japanese Patent Application Laid Open No. H8-202658).
In the conventional technology that appears in Japanese Patent Application Laid Open No. H8-202658, the passwords of the host and terminal can be easily updated by the management device. However, in the case of iSCSI, once the session has been closed in order to update the secret, the host and terminal must be reconnected based on the specifications of iSCSI. Because the session must be closed when the secret is updated, the administrator must perform the operation to update the secret after temporarily terminating application programs on the host.
However, a computer system that uses iSCSI often requires continuous operation 24 hours a day and 365 days a year. Hence, a technology that allows the secret to be updated without terminating the application program on the host is required.