topic Isolate a lun to one machine in Disk Enclosures

Isolate a lun to one machine

Charles Holland — Wed, 25 Mar 2009 13:58:27 GMT

Landscape is as follows
1 Va7110 with luns 0 - 5
6 HPUX servers

Lun 0 all servers see it
Lun 1&2 server H see (mirror of vg00 & vg01)
Lun 3 server TW sees it
Lun 4 server H sees it.
Lun 5 I am trying to isolate to server TH

Except for Lun 0 and 5 (just created and configured in secure manager in the VA to go to TH). Problem is that all servers can see it when you do an ioscan -fnCdisk.

It has been suggested that I do port isolation on the switches somehow to say Lun 5 is ONLY viewable by server TH and none others.

Do I need to user any of the arm commands also? It has only been 5 years since we last touched this and all memory is long gone.

Thanks in advance.
Chuck

Re: Isolate a lun to one machine

Torsten. — Wed, 25 Mar 2009 14:10:23 GMT

You need to configure the secure manager access table - most easy from the GUI of commandview sdm AFAIR.

Re: Isolate a lun to one machine

Torsten. — Wed, 25 Mar 2009 14:13:47 GMT

Examples from the manual:

Read the current contents of the security table into file secure.txt on host with
alias green. The password is the default value, AUTORAID.

armsecure -r -f secure.txt -p AUTORAID green

Write the security table stored in file secure.txt to array alias green. The
password is s33k3r. Clear the exisitng table before writing the new one, and
re-enable Secure Manager.

armsecure â w -c â f secure.txt -p s33k3r green

armsecure â e -p s33k3r green

Re: Isolate a lun to one machine

Torsten. — Wed, 25 Mar 2009 14:15:10 GMT

Sorry bad format. again:

Write the security table stored in file secure.txt to array alias green. The
password is s33k3r. Clear the exisitng table before writing the new one, and
re-enable Secure Manager.

armsecure -w -c -f secure.txt -p s33k3r green

armsecure -e -p s33k3r green

Re: Isolate a lun to one machine

Charles Holland — Wed, 25 Mar 2009 15:34:37 GMT

Torsten,

The commands you suggest appear that your are going to unload the access table, wipe it out and then load it back. What kind of change can that cause?

from the command:
armsecure -r -f /tmp/stuff -p passw0rd va7110
I get
# more /tmp/stuff
DEFAULT 0 WC
NODEWWN 50060b0000236bc7 1 W
NODEWWN 50060b0000236bc7 2 W
NODEWWN 50060b0000236bc7 4 W
NODEWWN 50060b0000236c6b 3 W
NODEWWN 50060b000023b999 1 W
NODEWWN 50060b000023b999 2 W
NODEWWN 50060b000023b999 4 W
NODEWWN 50060b000023b9a5 5 W
NODEWWN 50060b000023b9e5 5 W
NODEWWN 50060b0000242599 3 W
DEFAULT 1 0
DEFAULT 2 0
DEFAULT 3 0
DEFAULT 4 0
DEFAULT 5 W

which pretty well matches what is in the attatched screen shot from the VA itself.
Item 5 to each of the two san swithches is how I have it. That part I feel I have right.

How do I set things up after that so that ONLY server TH can see the lun?

Re: Isolate a lun to one machine

Torsten. — Wed, 25 Mar 2009 15:46:22 GMT

If you download the file, modify it and load it back, it would be extend the existing entries if you don't clear the table first.

Can you see what is wrong?

DEFAULT 1 0
DEFAULT 2 0
DEFAULT 3 0
DEFAULT 4 0
DEFAULT 5 W

The default for LUN 5 is write access for all servers:

...Permissions

0 - No access. Denies all access to the LUN. By default each LUN (except
LUN 0) is assigned this permission when it is created. LUN 0 is assigned â CWâ
permission. If a host is denied access to a LUN, the host operating system will
not â seeâ the LUN. This value is represented as â Noneâ in the GUI Secure
Manager table.
On versions of firmware prior to HP14, the default LUN table entries grant Write
access to all hosts.

W - Write access. Grants a host full access to all data on the LUN. With write
permission, a host can write data to the LUN, and read all data on the LUN. A table
entry granting a host write permission to a LUN overrides the No Access security
imposed by default on all other hosts.

Re: Isolate a lun to one machine

Charles Holland — Wed, 25 Mar 2009 16:17:31 GMT

I see my mistake (I remember changing this to write) and have corrected it. But still on server H, that shouldn't see LUN 5 I have the following output from an IO scan:

disk 20 1/0/2/0/0.2.0.0.0.0.5 sdisk NO_HW DEVICE HP A6189B

From server M I have the following:
disk 26 0/2/0/0.1.0.0.0.0.5 sdisk NO_HW DEVICE HP A6189B
/dev/dsk/c6t0d5 /dev/rdsk/c6t0d5

Again I am trying to get only one server to see this Lun.

Re: Isolate a lun to one machine

Torsten. — Wed, 25 Mar 2009 16:34:08 GMT

Looks good now:

NO_HW indicates the server cannot access it any longer. This will disappear after a reboot (or use rmsf).

Re: Isolate a lun to one machine

Charles Holland — Thu, 26 Mar 2009 11:31:09 GMT

Torsten, thanks for the help, won't make that mistake on the next LUN creation.
Chuck