Updating applications with a DS Network Interface client

To create a more secure connection to the DS8000®, update applications that connect to the storage system through the DS Network Interface so that they use the DS Network Interface client R7.2 or later.

About this task

The DS Network Interface server on the Hardware Management Console (HMC) is accessed by a number of IBM applications that use a DS Network Interface client. The DS Network Interface server R7.1.x or earlier has a legacy certificate with a weak public key (RSA-1024) and digital signature (MD5). The DS Network Interface client R7.1.x or earlier has a trust anchor associated with that certificate. The DS Network Interface server R7.2 and later contains both the legacy certificate and a NIST SP 800-131A compliant certificate, which has a NIST SP 800-131A compliant public key (RSA-2048) and digital signature (SHA-256). . The DS Network Interface client R7.2 and later automatically uses the NIST SP 800-131A certificate with DS8000 systems that are running R7.2 and later. For compatibility, it uses the legacy certificate with DS8000 systems that are running R7.1.x and earlier. Although it is not possible to upgrade the DS Network Interface client in an IBM application, you should upgrade the applications to a level that contains the DS Network Interface client R7.2 or later.

The following IBM applications include the DS Network Interface client for R7.2.
  • DS CLI client v7.7.20.xxx or later
  • Easy Tier Heat Map Transfer Utility v7.7.20.xxx or later, or the heat map transfer utility that is provided with IBM Tivoli Productivity Center for Replication included in Tivoli® Storage Productivity Center 5.2.1 or later
  • Tivoli Storage Productivity Center 5.2.1 or later
  • IBM System Storage DS8000 for VMware vCenter Site Recovery Manager 5.x Version 2.2.1

Procedure

  1. Update any of the above applications that are in use to the indicated versions, to support DS Network Interface client for R7.2.
  2. Disable the legacy DS Network Interface server certificate by using the DS CLI manageaccess command to disable port 1750. When port 1750 is disabled on the HMC R7.2, the DS Network Interface clients for R7.1.x or earlier cannot connect to the DS Network Interface server for R7.2.

    If disabling port 1750 results in one or more DS Network Interface clients losing network connectivity because they were not updated to be compatible with R7.2, use the manageaccess command to enable port 1750 and restore access, Update the applications as needed so that port 1750 can be disabled without losing connectivity.

    Notes:
    1. The DS Network Interface client for R7.2 connects to the DS Network Interface server for R7.2 on port 1751. If any of the above applications, the DS CLI client, or the DS Storage Manager that is installed on the management server access the DS8870 with LMC R7.2 or later at a remote site, you might need to configure your firewall to enable TLS connections on port 1751.
    2. If your storage system is configured to conform with NIST SP 800-131A, refer to the procedure for configuring the DS Network Interface server to conform with NIST SP 800-131A guidelines. This procedure automatically disables port 1750.
Related concepts:
Configuring your environment for conformance with NIST SP 800-131A guidelines
Related reference:
manageaccess