Hitachi Storage Navigator Modular 2 User Guide

							Advanced Functions10–3
Hitachi Storage Navigator Modular 2 User’s Guide
FE80::/64. The last 64 bits of the IPv6 address is referred to as the interface 
identifier. It is derived from the 48-bit Media Access Channel (MAC) address 
of the NIC.
To create the IPv6 interface identifier from the 48-bit (6-byte) Ethernet MAC 
address:
• The hexadecimal digits 0xFF-FE are inserted between the third and 
fourth bytes of the MAC address.
• The Universal/Local bit (the second low-order bit of the first byte of the 
MAC address) is complemented. If it is a 1, it is set to 0; if it is a 0, it is 
set to 1. 
For example, for the MAC address of 00-60-08-52-F9-D8:
• The hexadecimal digits 0xFF-FE are inserted between 0x08 (the third 
byte) and 0x52 (the fourth byte) of the MAC address, forming the 64-
bit address of 00-60-08-FF-FE-52-F9-D8.
• The Universal/Local bit, the second low-order bit of 0x00 (the first 
byte) of the MAC address, is complemented. The second low-order bit 
of 0x00 is 0 which, when complemented, becomes 1. The result is that 
for the first byte, 0x00 becomes 0x02. 
As a result, the IPv6 interface identifier that corresponds to the Ethernet 
MAC address of 00-60-08-52-F9-D8 is 02-60-08-FF-FE-52-F9-D8.
The link-local address of a node is the combination of the prefix FE80::/64 
and the 64-bit interface identifier expressed in colon-hexadecimal notation. 
As a result, the link-local address of this example node, with the prefix 
FE80::/64 and the interface identifier 02-60-08-FF-FE-52-F9-D8, is 
FE80::260:8FF:FE52:F9D8.
NOTE:If you use IPv6 addresses with your storage system, we 
recommend you set IP addresses manually on the Navigator 2 Set up 
Management Ports window. If you select Use DHCP in the Navigator 2 Set 
up Management Port window, the IPv6 address changes if you replace 
storage systems, since the IPv6 address is created based on the storage 
system’s MAC address. This will require you to perform the Navigator 2 
search array and registration.
TIP:For the range of the IPv6 address set manually, use the global unicast 
address 2001::/16. 
						

							10–4Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
You can view your link local address using the netsh interface ipv6 show 
interface command. When you run this command without any additional 
parameters, a list similar to the following appears:
For more detailed output, you can designate a connection name as a 
command parameter (for example, netsh interface ipv6 show interface 
“Local Area Connection 2). Using the interface parameter (with either 
an interface name or an interface index number) results in the following 
output, which includes the link local address for the connection:
In this example, Interface 4 is an interface that corresponds to an installed 
Ethernet adapter with a link-local address of FE80::2C0:4FFF:FE19:BAD3.
Router discovery
IPv6 solves many problems related to the interaction between nodes that 
are attached to the same link. To accomplish this, an IPv6 host “advertises” 
its presence, various link parameters, and various Internet parameters 
using router discovery — an exchange of Router Solicitation and Router 
Advertisement messages — to ascertain additional addresses and 
configuration settings. 
Idx 
___Met 
___MTU 
___State 
__________Name 
__________
501500ConnectedLocal Area Connection
401500ConnectedLocal Area Connection 2
311280Connected6to4 Tunneling Pseudo-Interface
201280ConnectedAutomatic Tunneling Pseudo-Interface
101500ConnectedLoopback Pseudo-Interface
Interface 4: Local Area Connection 2
Addr Type  DAD State  Valid Life   Pref. Life   Address
---------  ---------- ------------ ------------ -----------------------------
Temporary  Preferred    6d4h41m33s     4h38m46s 3ffe:2900:d005:f282:4063:32a8:5c81:62f2
Temporary  Deprecated   5d4h44m24s           0s 3ffe:2900:d005:f282:cd74:3dd7:857b:b57
Temporary  Deprecated   4d4h47m16s           0s 3ffe:2900:d005:f282:d880:d193:f2dd:d929
Temporary  Deprecated    3d4h50m7s           0s 3ffe:2900:d005:f282:7482:2f05:8129:54ba
Temporary  Deprecated   2d4h52m59s           0s 3ffe:2900:d005:f282:d530:25de:57b:7ee0
Temporary  Deprecated   1d4h55m50s           0s 3ffe:2900:d005:f282:c58c:4290:22c6:7b3b
Temporary  Deprecated     4h58m42s           0s 3ffe:2900:d005:f282:8464:acf0:8393:cf6
Public     Preferred  29d23h57m19s  6d23h57m19s fec0::f282:2c0:4fff:fe19:bad3
Public     Preferred  29d23h57m19s  6d23h57m19s 3ffe:2900:d005:f282:2c0:4fff:fe19:bad3
Link       Preferred      infinite     infinite fe80::2c0:4fff:fe19:bad3
Connection Name          : Local Area Connection 2
GUID                     : {433F15CA-E3FD-4DE4-B3FF-7EF4B30CA4E7}
State                    : Connected
Metric                   : 0
Link MTU                 : 1500 bytes
True Link MTU            : 1500 bytes
Current Hop Limit        : 64
Reachable Time           : 4h43m20s
Base Reachable Time      : 8h20m
Retransmission Interval  : 16m40s
DAD Transmits            : 1
DNS Suffix               : example.microsoft.com
Zone ID for Link         : 4
Zone ID for Site         : 1
Uses Neighbor Discovery  : Yes
Sends RAs               : No
Forwards Packets         : No
Link-Layer Address       : 00-c0-4f-19-ba-d3 
						

							Advanced Functions10–5
Hitachi Storage Navigator Modular 2 User’s Guide
To accomplish this, routers “advertise” their presence, various link 
parameters, and various Internet parameters. Routers advertise either 
periodically, or in response to a router solicitation message. Router 
advertisements contain prefixes that are used for on-link determination or 
address configuration, a suggested hop limit value, and other purposes.
If you need to change the contents of a router advertisement for a host 
attached to the storage system, use the command set Router Lifetime 
and specify an expiration date of 0 to disable the previous router 
advertisement. Otherwise, you will have to perform the Navigator 2 search 
array and registration.
Temporary addresses
Computers running Microsoft Windows Vista or Windows Server 2008 by 
default generate random interface IDs for non-temporary auto-configured 
IPv6 addresses, including public and link-local addresses, instead of EUI-64-
based interface IDs. As a public IPv6 address is a global address that is 
registered in DNS and is typically used by server applications for incoming 
connections, such as a Web server. 
This default setting can cause many temporary addresses to be registered 
in the hot, increasing processing times. Therefore, we recommend you 
check the temporary addresses and, if there are many, disable them.
To check whether a temporary addresses is enabled or disabled, type the 
following command from the command prompt. 
To disable temporary addresses, type the following command: 
Type the following command to return them to Enabled. 
Connection methods
The following examples show connections between the storage system and 
the computer in which Navigator 2 has been installed.
Example 1
Figure 10-1 on page 10-6 shows a configuration where a computer with 
Navigator 2 and the computer have the same IPv6 addresses.C:\> netsh interface ipv6 show privacy
C:\> netsh interface ipv6 set privacy disable
C:\> netsh interface ipv6 set privacy enable 
						

							10–6Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
 
Figure 10-1:  Sample Configuration 1
In this configuration:
• The storage system uses 2000/tcp and 28355/tcp to communicate with 
Navigator 2. If the storage system is connected directly to a computer, 
but cannot communicate through the router, the router can have 
blocked ports. In this case, configure the router to permit 2-way 
communication to ports.
• IPv6 multicasting is used on the local link to search for the storage 
system’s IPv6 address. Prior to having Navigator 2 search for the 
storage system, configure the storage system and the computer in 
which Navigator 2 is installed to reside on the same link.
• If the computer where Navigator 2 is installed has two or more NICs 
connected to separate network segments, Navigator 2 can only access 
the LAN whose addresses were specified when Navigator 2 was 
installed.
Example 2
Figure 10-2 on page 10-7 shows a configuration where a computer with 
Navigator 2 and another computer are configured with different IPv6 
addresses. 
						

							Advanced Functions10–7
Hitachi Storage Navigator Modular 2 User’s Guide
Figure 10-2:  Sample Configuration 2
In this configuration:
• The storage system uses 2000/tcp and 28355/tcp to communicate with 
Navigator 2. If the computer is connected directly to the storage 
system, but cannot communicate through the router, the router can 
have blocked ports. In this case, configure the router to permit 2-way 
communication to ports.
• The computer in which Navigator 2 is installed (Computer A) uses 
23015/tcp and 1099/tcp to communicate with Computer B. If Computer 
A can be connected directly to the storage system, but cannot 
communicate through the router, the router can have blocked ports. In 
this case, configure the router to permit 2-way communication to ports.
• IPv6 multicasting is used on the local link to search for the storage 
system’s IPv6 address. Prior to having Navigator 2 search for the 
storage system, configure the storage system and the computer in 
which Navigator 2 is installed to reside on the same link.
• If the computer where Navigator 2 is installed has two or more NICs 
connected to separate network segments, Navigator 2 can only access 
the LAN whose addresses were specified when Navigator 2 was 
installed.
Using secure sockets layer
If security is a concern, your management console can communicate with 
Navigator 2 using the Secure Sockets Layer (SSL) protocol. SSL ensures 
secure transactions between Navigator 2 and your management console’s 
Web browser. The protocol uses a third party, a Certificate Authority (CA), 
to identify one end or both end of the transactions. The following steps 
summarize how SSL works. 
1. A browser requests a secure page (usually https://).
2. Navigator 2 sends its public key with its certificate. 
						

							10–8Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
3. The browser checks that the certificate was issued by a trusted party 
(usually a trusted root CA), that the certificate is still valid and that the 
certificate is related to the site contacted.
4. The browser uses the public key to encrypt a random symmetric 
encryption key and sends it to the server with the encrypted URL 
required as well as other encrypted http data.
5. Navigator 2 decrypts the symmetric encryption key using its private key 
and uses the symmetric key to decrypt the URL and http data. 
6. Navigator 2 sends back the requested html document and http data 
encrypted with the symmetric key. 
7. The browser decrypts the http data and HTML document using the 
symmetric key and displays the information.
Setting the certificate and private key
We recommend that you use a server certificate and private key for SSL 
communications with Navigator 2. The following sections describe how to 
create and set the server certificate and private key.
Stopping the Navigator 2 service or daemon process
The first step when setting the certificate and private key for SSL 
communications is to stop the Navigator 2 service on Windows operating 
systems or to stop the Navigator 2 daemon process on Solaris and Linux 
operating systems. For more information, see Starting or stopping the 
Navigator 2 service or daemon process on page 10-15.
Creating a private key
The next step is to create a private key. Please refer to the appropriate 
section for your operating system.
Creating a private key on Windows
To create a private key on a Windows operating system
1. Create the directory where the private key will be output.
2. Open a command prompt and go to the following directory:  
\Base\bin
3. Type the following command line. The slanted text indicates a bit length 
for the key of 512, 1024, or 2048.
hcmdssslc genrsa -out c:\ca\httpsdkey.pem  
						

							Advanced Functions10–9
Hitachi Storage Navigator Modular 2 User’s Guide
The following shows an example of issuing this command line:
4. Type the following command line to create a certificate signing request 
(CSR):
hcmdssslc req -config C:\Program 
Files\HiCommand\Base\httpsd\sslc\bin\demoCA\sslc.cnf
-new -key c:\ca\httpsdkey.pem -out c:\ca\httpsd.csr
5. Submit the created CSR file (httpsd.csr in the above example) to the 
The following shows an example of issuing this command line:
6. Submit the created CSR file (httpsd.csr in the above example) to the 
CA and obtain the signed certificate.
hcmdssslc genrsa -out c:\ca\httpsdkey.pem 2048
Loading entropy into random state - unable to load random state
warning, not much extra random data, consider using the -rand option
Generating 2 prime RSA private key, 2048 bit long modulus
..................................................................++
+++
...........+++++
e is 65537 (0x10001)
Using configuration from C:\Program 
Files\HiCommand\Base\httpsd\sslc\bin\demoCA\
sslc.cnf
You will be prompted to enter information to incorporate
into the certificate request.
This information is called a Distinguished Name or a DN.
There are many fields however some can remain blank.
Some fields have default values.
Enter ., to leave the field blank.
-----
Country Name (2 letter code) []:us
State or Province Name (full name) []:California
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) []:Hitachi
Organizational Unit Name (eg, section) []:Hitachi
Common Name (eg, YOUR name) []:Hitachi
Email Address []:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
NOTE:If you do not submit the CSR file to or obtain the signed certificate 
file from the CA, you can still create the certificate file with your signature 
using the hcmdssslc command. However, a warning window appears when 
the initial Navigator 2 window and subsequent window appear. 
						

							10–10Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
7. To create a self-signed certificate file, type the following command line:
hcmdssslc x509 -in c:\ca\httpsd.csr -out c:\ca
ewcert.pem -reg -signkey
c:\ca\httpsdkey.pem -days 365
c:\ca\httpsd.csr: CSR to CA
c:\ca
ewcert.pem: self-signed certificate
c:\ca\httpsdkey.pem: key file
8. Using a text editor, open the file httpsd.conf in  
\Base\httpsd\conf.
9. Delete the hash sign (#) from the following slanted lines, which are 
commented out by default. Change the values of SSLCertificateFile 
and SSLCertificateKeyFile:
a. For SSLCertificateFile, specify the signed certificate file obtained 
from the CA.
b. For SSLCertificateKeyFile, specify the full path of the private key 
file created earlier in this procedure.
The contents of the file are shown below:
10. Start the service for Navigator 2 (see Starting the Navigator 2 server 
service or daemon process on page 10-20).
11. Start the service for Hitachi Storage Command Suite Common 
Components (see Starting the Hitachi Storage Command Suite common 
components on page 10-19).
12. If there are other products that use the Hitachi Storage Command Suite 
Common Components, start the daemon process for those applications 
(refer to the documentation for those applications).
SSLSessionCacheSize 0
#Listen 23016
#Listen [::]:23016
#
# ServerName s1j-orca2xp
#  SSLEnable
#  SSLProtocol SSLv3 TLSv1
#  SSLRequireSSL
#  SSLCertificateFile C:/ca/httpsd.pem
#  SSLCertificateKeyFile C:/ca/httpsdkey.pem
#  SSLCACertificateFile C:/Program #Files/HiCommand/Base/httpsd/
conf/ssl/cacert/anycert.pem
#  SSLSessionCacheTimeout 3600
# 
						

							Advanced Functions10–11
Hitachi Storage Navigator Modular 2 User’s Guide
Creating a private key on Solaris or Linux
To create a private key on a Solaris or Linux operating system
1. Create the directory where the private key will be output.
2. Open a command prompt and go to the following directory:  
/Base/httpsd/sslc/bin
3. Type the following command line. The slanted text indicates a bit length 
for the key of 512, 1024, or 2048.
sslc genrsa -out /ca/httpsdkey.pem 
The following shows an example of issuing this command line:
4. Type the following command line to create a certificate signing request 
(CSR):
./sslc req -config /opt/HiCommand/Base/httpsd/sslc/bin/
demoCA/sslc.cnf
-new -key ca/httpsdkey.pem -out /ca/httpsd.csr
The following shows an example of the result from executing this 
command line:
hcmdssslc genrsa -out c:\ca\httpsdkey.pem 2048
Loading entropy into random state - unable to load random state
warning, not much extra random data, consider using the -rand option
Generating 2 prime RSA private key, 2048 bit long modulus
..................................................................++
+++
...........+++++
e is 65537 (0x10001)
Using configuration from C:\Program 
Files\HiCommand\Base\httpsd\sslc\bin\demoCA\
sslc.cnf
You will be prompted to enter information to incorporate
into the certificate request.
This information is called a Distinguished Name or a DN.
There are many fields however some can remain blank.
Some fields have default values.
Enter ., to leave the field blank.
-----
Country Name (2 letter code) []:us
State or Province Name (full name) []:California
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) []:Hitachi
Organizational Unit Name (eg, section) []:Hitachi
Common Name (eg, YOUR name) []:Hitachi
Email Address []:
Please enter the following extra attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 
						

							10–12Advanced Functions
Hitachi Storage Navigator Modular 2 User’s Guide
5. Submit the created CSR file (httpsd.csr in the above example) to the 
CA and obtain the signed certificate.
6. To create a self-signed certificate file, type the following command line:
7. Using a text editor, open the file httpsd.conf in  
\Base\httpsd\conf.
8. Delete the hash sign (#) from the following slanted lines, which are 
commented out by default. Change the values of SSLCertificateFile 
and SSLCertificateKeyFile:
a. For SSLCertificateFile, specify the signed certificate file obtained 
from the CA.
b. For SSLCertificateKeyFile, specify the full path of the private key 
file created earlier in this procedure.
The contents of the file are shown below:
9. Start the daemon process for Navigator 2 (see Starting the services or 
daemon process on page 10-18).
10. Start the daemon process for Hitachi Storage Command Suite Common 
Components (see Starting the Hitachi Storage Command Suite common 
components on page 10-19).
11. If there are other products that use the Hitachi Storage Command Suite 
Common Components, start the daemon process for those applications 
(refer to the documentation for those applications).
NOTE:If you do not submit the CSR file to or obtain the signed certificate 
file from the CA, you can still create the certificate file with your signature 
using the hcmdssslc command. However, a warning window appears when 
the initial Navigator 2 window and subsequent window appear.
./sslc x509 -in /ca/httpsd.csr -out /ca/newcert.pem -reg -signkey
 /ca/httpsdkey.pem -days 365
SSLSessionCacheSize 0
#Listen 23016
#Listen [::]:23016
#
#  ServerName s1j-orca2xp
#  SSLEnable
#  SSLProtocol SSLv3 TLSv1
#  SSLRequireSSL
#  SSLCertificateFile C:/ca/httpsd.pem
#  SSLCertificateKeyFile C:/ca/httpsdkey.pem
#  SSLCACertificateFile C:/Program #Files/HiCommand/Base/httpsd/
conf/ssl/cacert/anycert.pem
#  SSLSessionCacheTimeout 3600
#