Updating applications with a DS Network Interface client

To create a more secure connection to the DS8000®, update applications that connect to the storage system through the DS Network Interface so that they use the DS Network Interface client V7.2 or later.

About this task

The DS Network Interface server on the Hardware Management Console (HMC) is accessed by a number of IBM applications that use a DS Network Interface client. The DS Network Interface server V7.1.x or earlier has a legacy certificate with a weak public key (RSA-1024) and digital signature (MD5). The DS Network Interface client V7.1.x or earlier has a trust anchor associated with that certificate. The DS Network Interface server V7.2 and later contains both the legacy certificate and a NIST SP 800-131A compliant certificate, which has a NIST SP 800-131A compliant public key (RSA-2048) and digital signature (SHA-256). The DS Network Interface client V7.2 and later automatically uses the NIST SP 800-131A certificate with DS8000 systems that are running V7.2 and later. For compatibility, it uses the legacy certificate with DS8000 systems that are running V7.1.x and earlier. Although it is not possible to upgrade the DS Network Interface client in an IBM application, you can upgrade the applications to a level that contains the DS Network Interface client V7.2 or later.

The following IBM applications include the DS Network Interface client for R7.2.
  • DS CLI client V7.7.20.xxx or later
  • Easy Tier Heat Map Transfer Utility V7.7.20.xxx or later, or the heat map transfer utility that is provided with IBM Tivoli Productivity Center for Replication included in IBM® Spectrum Control 5.2.1 or later
  • IBM Spectrum Control 5.2.1 or later
  • IBM System Storage DS8000 for VMware vCenter Site Recovery Manager 5.x Version 2.2.1

Procedure

  1. Update any of the listed applications that are in use to the indicated versions to support DS Network Interface client for V7.2.
  2. Disable the legacy DS Network Interface server certificate by using the DS CLI manageaccess command to disable port 1750.
    When port 1750 is disabled on the HMC V7.2, the DS Network Interface clients for V7.1.x or earlier cannot connect to the DS Network Interface server for V7.2.

    After port 1750 is disabled, one or more DS Network Interface clients might lose network connectivity if they were not updated to be compatible with V7.2. Use the manageaccess command to enable port 1750 and restore access. Update the applications as needed so that port 1750 can be disabled without losing connectivity.

    Notes:
    1. The DS Network Interface client for V7.2 connects to the DS Network Interface server for V7.2 on port 1751. If any of the listed applications, the DS CLI client, or the DS8000 Storage Management GUI that is installed on the management server access the storage system with LMC V7.2 or later at a remote site, you might need to configure your firewall to enable TLS connections on port 1751.
    2. If your storage system is configured to conform with NIST SP 800-131A, refer to the procedure for configuring the DS Network Interface server to conform with NIST SP 800-131A guidelines. This procedure automatically disables port 1750.