U.S. patent application number 11/007093 was filed with the patent office on 2006-05-04 for storage system.
This patent application is currently assigned to Hitachi, Ltd.. Invention is credited to Yusuke Nonaka, Junji Ogawa.
Application Number | 20060095553 11/007093 |
Document ID | / |
Family ID | 35079462 |
Filed Date | 2006-05-04 |
United States Patent
Application |
20060095553 |
Kind Code |
A1 |
Ogawa; Junji ; et
al. |
May 4, 2006 |
Storage system
Abstract
In a storage system that manages update prohibition (WORM)
information, when time management is not performed with precision,
there arises a possibility that an update prohibition (WORM)
attribute may be erased before a preservation period expires. This
invention provides a storage system coupled to at least one of time
servers through a network, including: a first time information
holding unit that holds first time information to be used to manage
an update prohibition attribute of data; a second time information
holding unit that holds second time information to be used to
establish time synchronization with a device coupled to the
network; and a time update unit that manages the first time
information and the second time information, in which the time
update unit receives third time information from the at least one
of the time servers and judges whether the third time information
satisfies a predetermined condition, and updates the first time
information based on the third time information when the third time
information satisfies the predetermined condition.
Inventors: |
Ogawa; Junji; (Yokohama,
JP) ; Nonaka; Yusuke; (Sagamihara, JP) |
Correspondence
Address: |
TOWNSEND AND TOWNSEND AND CREW, LLP
TWO EMBARCADERO CENTER
EIGHTH FLOOR
SAN FRANCISCO
CA
94111-3834
US
|
Assignee: |
Hitachi, Ltd.
Tokyo
JP
|
Family ID: |
35079462 |
Appl. No.: |
11/007093 |
Filed: |
December 7, 2004 |
Current U.S.
Class: |
709/223 |
Current CPC
Class: |
G06F 21/725
20130101 |
Class at
Publication: |
709/223 |
International
Class: |
G06F 15/173 20060101
G06F015/173 |
Foreign Application Data
Date |
Code |
Application Number |
Oct 13, 2004 |
JP |
2004-298776 |
Claims
1. A storage system coupled to at least one of time servers through
a network, comprising: a first time information holding unit that
holds first time information to be used to manage an update
prohibition attribute of data; a second time information holding
unit that holds second time information to be used to establish
time synchronization with a device coupled to the network; and a
time update unit that manages the first time information and the
second time information, wherein the time update unit receives
third time information from the at least one of the time servers
and judges whether the third time information satisfies a
predetermined condition, and updates the first time information
based on the third time information when the third time information
satisfies the predetermined condition.
2. The storage system according to claim 1, wherein the first time
information holding unit is a first clock, and the second time
information holding unit is a second clock that is independent of
the first clock.
3. The storage system according to claim 1, wherein one of the
first time information holding unit and the second time information
holding unit is a clock and the other thereof is a storage area in
which a difference between the first time information and the
second time information is held.
4. The storage system according to claim 1, wherein the time update
unit judges that the third time information satisfies the
predetermined condition when a difference between the third time
information and the first time information is within a
predetermined range, and updates the second time information based
on the third time information regardless of whether the third time
information satisfies the predetermined condition.
5. The storage system according to claim 4, wherein the time update
unit judges that the third time information does not satisfy the
predetermined condition when a time shown by the first time
information is earlier than a time shown by the third time
information.
6. The storage system according to claim 1, wherein the time update
unit authenticates the at least one of the time servers that
transmitted the third time information when receiving the third
time information, and judges that the third time information
satisfies the predetermined condition when the authentication of
the at least one of the time servers ends in success.
7. The storage system according to claim 6, wherein the time update
unit receives third time information from another one of the time
servers when the authentication of the at least one of the time
servers ends in failure, and authenticates the another one of the
time servers that transmitted the third time information.
8. The storage system according to claim 6, wherein the third time
information is encrypted using a secret key corresponding to a
predetermined public key, and the time update unit decrypts the
third time information using the predetermined public key when
receiving the third time information, and judges that the
authentication of the at least one of the time servers that
transmitted the third time information ends in success when the
decryption ends in success.
9. A computer system comprising: a storage system; at least one of
time servers; and a network that couples the storage system and at
least one of the time servers to each other, the storage system
comprising: a first time information holding unit that holds first
time information to be used to manage an update prohibition
attribute of data; a second time information holding unit that
holds second time information to be used to establish time
synchronization with a device coupled to the network; and a time
update unit that manages the first time information and the second
time information, wherein the at least one of the time servers
transmits third time information to the storage system, and the
time update unit receives the third time information from the at
least one of the time servers and judges whether the third time
information satisfies a predetermined condition, and updates the
first time information based on the third time information when the
third time information satisfies the predetermined condition.
10. The computer system according to claim 9, wherein the first
time information holding unit is a first clock, and the second time
information holding unit is a second clock that is independent of
the first clock.
11. The computer system according to claim 9, wherein one of the
first time information holding unit and the second time information
holding unit is a clock and the other thereof is a storage area in
which a difference between the first time information and the
second time information is held.
12. The computer system according to claim 9, wherein the time
update unit judges that the third time information satisfies the
predetermined condition when a difference between the third time
information and the first time information is within a
predetermined range, and updates the second time information based
on the third time information regardless of whether the third time
information satisfies the predetermined condition.
13. The computer system according to claim 12, wherein the time
update unit judges that the third time information does not satisfy
the predetermined condition when a time shown by the first time
information is earlier than a time shown by the third time
information.
14. The computer system according to claim 9, wherein the time
update unit authenticates the at least one of the time servers that
transmitted the third time information when receiving the third
time information, and judges that the third time information
satisfies the predetermined condition when the authentication of
the at least one of the time servers ends in success.
15. The computer system according to claim 14, wherein the time
update unit receives third time information from another one of the
time servers when the authentication of the at least one of the
time servers ends in failure, and authenticates the another one of
the time servers that transmitted the third time information.
16. The computer system according to claim 14, wherein the third
time information is encrypted using a secret key corresponding to a
predetermined public key, and the time update unit decrypts the
third time information using the predetermined public key when
receiving the third time information, and judges that the
authentication of the at least one of the time servers that
transmitted the third time information ends in success when the
decryption ends in success.
Description
CLAIM OF PRIORITY
[0001] The present application claims priority from Japanese
application P2004-298776 filed on Oct. 13, 2004, the content of
which is hereby incorporated by reference into this
application.
BACKGROUND
[0002] This invention relates to a storage system, in particular,
management of data whose preservation period is determined.
[0003] In a computer system comprising plural devices such as
computers, it is required to establish synchronization of a time
held by each device constituting the system. For instance, the time
is used to create logs to be obtained in the computer system. With
the logs, various situations, such as an influence exerted by an
operation of a certain device on another device, are grasped.
[0004] In general, in order to establish time synchronization in
the computer system, an NTP (Network Time Protocol) server is used.
In other words, one of the devices in the computer system is set as
the NTP server and transmits time information to each of the other
devices, thereby allowing every device in the computer system to
obtain the same time.
[0005] Meanwhile, among data stored in a storage system, there is
data whose preservation for a certain period of time is obligated.
Such data is, for instance, audit target data in a specific
category of business.
[0006] There is a method with which a WORM (Write Once Read Many)
attribute, in other words, an update prohibition attribute is given
to such data at the time of storage, thereby proving that the data
determined once is not erased or tampered and ensuring the
correctness of the data.
[0007] In general, the WORM is a property possessed by write-once
optical disks and the like (CD-Rs, for instance). Therefore, by
storing data on such write-once media, the WORM attribute is
realized with ease.
[0008] Aside from this, from the viewpoint of performance and the
like, a method is also proposed with which the WORM is realized in
a storage system comprising a magnetic disk.
[0009] In JP 07-13705 A, a method is disclosed with which
overwriting of data on a disk is prevented by providing a writing
prohibition flag or the like on the disk.
SUMMARY
[0010] When a WORM attribute is virtually given to a medium, such
as a magnetic disk, that does not originally possess a WORM
attribute, it is possible to set a term (WORM guarantee term) for
the WORM attribute. In this case, the WORM attribute can be reset
when the set term expires.
[0011] In the case of data whose preservation for a certain period
of time is obligated, for instance, once the period of time ends,
an area used to store the data can be used for another purpose.
Therefore, it becomes possible to use the storage area with
efficiency.
[0012] On the other hand, as is different from the case of the
write-once optical disks and the like where the WORM attribute is
maintained by the property of the media, when a cyber attack is
made by a person on a portion that manages the WORM attribute, in
particular, a portion that manages a time relating to a designated
period of time, the WORM attribute may be changed before the
designated period of time expires.
[0013] When the time of a clock that is referred to at the time of
the management of the WORM attribute is intentionally or
erroneously advanced, for instance, there arises a danger that
data, whose WORM guarantee term has not yet expired in actuality,
may be updated.
[0014] In order to solve such a problem, it is possible to manage
the time for the WORM management by completely hiding the time from
users. In this case, however, time synchronization can not be
established in a computer system that the users use.
[0015] Also, in this case, an innocent administrator can not
correct a time deviation occurred due to a hardware reason.
[0016] This invention provides a storage system coupled to at least
one of time servers through a network, including: a first time
information holding unit that holds first time information to be
used to manage an update prohibition attribute of data; a second
time information holding unit that holds second time information to
be used to establish time synchronization with a device coupled to
the network; and a time update unit that manages the first time
information and the second time information, in which the time
update unit receives third time information from the at least one
of the time servers and judges whether the third time information
satisfies a predetermined condition, and updates the first time
information based on the third time information when the third time
information satisfies the predetermined condition.
[0017] According to this invention, it becomes possible to realize
a storage system that reliably protects data, whose WORM guarantee
term has not yet expired.
BRIEF DESCRIPTION OF THE DRAWINGS
[0018] FIG. 1 is a block diagram showing a configuration of a
computer system according to a first embodiment of this
invention.
[0019] FIG. 2 is a block diagram showing a configuration of a
storage system according to the first embodiment of this
invention.
[0020] FIG. 3 is an explanatory diagram of a memory according to
the first embodiment of this invention.
[0021] FIG. 4 is an explanatory diagram of WORM management clock
management information according to the first embodiment of this
invention.
[0022] FIG. 5 is an explanatory diagram of time update at check
times according to the first embodiment of this invention.
[0023] FIG. 6 is a flowchart of processing executed at the time of
update of a WORM management clock and a site clock according to the
first embodiment of this invention.
[0024] FIG. 7 is a block diagram showing a configuration of a
computer system according to a second embodiment of this
invention.
[0025] FIG. 8 is an explanatory diagram of a memory according to
the second embodiment of this invention.
[0026] FIG. 9 is an explanatory diagram of WORM management clock
management information according to the second embodiment of this
invention.
[0027] FIG. 10 is an explanatory diagram of time update according
to the second embodiment of this invention.
[0028] FIG. 11 is a flowchart of processing executed at the time of
update of a WORM management clock according to the second
embodiment of this invention.
[0029] FIG. 12 is an explanatory diagram of a management screen
according to the second embodiment of this invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
[0030] FIG. 1 is a block diagram showing a configuration of a
computer system according to a first embodiment of this
invention.
[0031] Each host 2 is a computer that is connected to each storage
system 4 through a storage area network (SAN) 3. The host 2
accesses data stored in the storage system 4 using a block I/O
interface or a file I/O interface.
[0032] In addition, the host 2 is connected to the storage system 4
through an IP network 1. The host 2 may access the data stored in
the storage system 4 through the IP network 1.
[0033] In the storage system 4, data is stored. To the data stored
in the storage system 4, a WORM (Write Once Read Many) attribute or
an update prohibition attribute may be given. Further, a term (WORM
guarantee term) can be set in which the WORM attribute should be
maintained. When the WORM guarantee term is set for data, the host
2 or the like can not update the data before the WORM guarantee
term expires.
[0034] An in-site NTP server 5 is a computer that is connected to
the host 2, the storage system 4, and a management host 6 through
the IP network 1. The in-site NTP server 5 functions as a time
server that transmits time information to each of the devices
connected to the IP network 1 using an NTP. Each of the devices
connected to the IP network 1 synchronizes the time of its internal
clock to the time information received from the in-site NTP server
5.
[0035] The management host 6 is a computer comprising an
input/output device (not shown). The management host 6 is connected
to the host 2, the storage system 4, and the in-site NTP server 5
through the IP network 1 and manages those devices.
[0036] FIG. 2 is a block diagram showing a configuration of the
storage system 4 according to the first embodiment of this
invention.
[0037] The storage system 4 comprises disk drives 111 to 113 and a
controller 101.
[0038] In the disk drives 111 to 113, data is stored.
[0039] The controller 101 manages the data stored in the disk
drives 111 to 113. The controller 101 comprises a host input/output
control unit 121, a data transfer control unit 122, a cache memory
123, a disk input/output control unit 124, a CPU 125, a management
I/F 126, a memory 127, a WORM management clock 128, a site clock
129, and an internal bus 130.
[0040] The host input/output control unit 121 is an interface that
communicates with the host 2 through the SAN 3. For instance, the
host input/output control unit 121 exchanges data and a control
signal with the host 2 and the like using a fibre-channel protocol
or an iSCSI protocol. In addition, the host input/output control
unit 121 performs conversion of protocols used outside and inside
the storage system 4.
[0041] The cache memory 123 is, for instance, a semiconductor
memory and temporarily stores data to be exchanged between the host
input/output control unit 121 and the disk input/output control
unit 122.
[0042] The data transfer control unit 122 controls data transfer
between the CPU 125, the host input/output control unit 121, the
disk input/output control unit 124, and the cache memory 123. In
addition, for data guarantee, the data transfer control unit 122
adds a guarantee code to data to be transferred.
[0043] The disk input/output control unit 124 is an interface with
respect to the disk drives 111 to 113. For instance, the disk
input/output control unit 124 exchanges data and a control signal
with the disk drive 111 and the like using an interface of ATA, SAS
(Serial Attached SCSI), fibre channel, or the like. In addition,
the disk input/output control unit 124 performs conversion of
protocols used outside and inside the controller 101.
[0044] In other words, the data transfer control unit 122 transfers
data to be read/written from/into the disk drive 111 or the like by
the host 2 between the host input/output control unit 121 and the
disk input/output control unit 124. In addition, the data transfer
control unit 122 transfers the data to the cache memory 123.
[0045] The management interface (I/F) 126 is an interface with
respect to the IP network 1. The management I/F 126 exchanges data
and a control signal with the management host 6 and the like using
a TCP/IP protocol.
[0046] In the memory 127, a control program is stored. The CPU 125
reads the control program from the memory 127 and executes it,
thereby realizing various kinds of processing. In addition, in the
memory 127, management information to be used at the time of
execution of the control program is stored.
[0047] The WORM management clock 128 is used to manage the WORM
attribute given to the data stored in the storage system 4. More
specifically, the WORM management clock 128 is referred to at the
time when judging whether the WORM guarantee term has expired.
[0048] The site clock 129 manages a time (in-site time) used to
establish synchronization of the respective devices in the computer
system.
[0049] In this embodiment, the WORM management clock 128 and the
site clock 129 are mutually independent clocks. However, this
invention is not limited to such mutually independent clocks and it
is sufficient that these clocks each hold time information.
[0050] For instance, the WORM management clock 128 may be a clock
and the site clock 129 may be a storage area on the cache memory
123 in which information showing a difference between a time
indicated by the WORM management clock 128 and the in-site time is
stored. In this case, the time indicated by the site clock 129 is a
value obtained by adding the difference stored in the storage area
to the time indicated by the WORM management clock 128.
[0051] Alternatively, the site clock 129 may be a clock and the
WORM management clock 128 may be a storage area on the cache memory
123.
[0052] The internal bus 130 connects the units, such as the CPU
125, in the controller 101 to each other in a communicable
manner.
[0053] The disk drives 111 to 113 constitute a disk array. In the
example shown in FIG. 2, only three disk drives are provided,
although it is possible to provide the storage system 4 with an
arbitrary number of disk drives.
[0054] FIG. 3 is an explanatory diagram of the memory 127 according
to the first embodiment of this invention.
[0055] In the memory 127, the control program and the management
information are stored. Various kinds of processing are realized
through execution of the control program by the CPU 125. More
specifically, in the memory 127, an operating system 201, a disk
array control program 202, a data transfer control program 203, an
NTP client program 204, an input/output control unit driver program
205, a site clock management program 206, a WORM management clock
management program 211, a time update program 212, and WORM
management clock management information 213 are stored.
[0056] The operating system 201 is a basic program that causes each
control program to operate.
[0057] The disk array control program 202 controls input/output of
data into/from the disk drive 111 or the like according to a data
input/output request from the host 2 or the like. More
specifically, the disk array control program 202 performs control
of the disk array such as RAID conversion or logical-physical
address conversion.
[0058] The data transfer control program 203 performs data transfer
by controlling the data transfer control unit 122.
[0059] The NTP client program 204 interprets data issued from the
in-site NTP server 5 using the NTP, thereby obtaining time
information. The obtained time information is used to update the
WORM management clock 128 and the site clock 129.
[0060] The input/output control unit driver program 205 controls
the host input/output control unit 121 and the disk input/output
control unit 124.
[0061] The site clock management program 206 updates the site clock
129 according to an instruction from the time update program 212 or
an instruction from an administrator.
[0062] When time update is requested by the time update program 212
or the like, the WORM management clock management program 211
judges whether the requested update should be permitted or
prohibited by referring to the WORM management clock management
information 213. Following this, when it is judged that the update
should be permitted, the WORM management clock management program
211 updates the WORM management clock 128.
[0063] The time update program 212 updates the site clock 129 and
the WORM management clock 128 by controlling the NTP client program
204, the site clock management program 206, and the WORM management
clock management program 211 with reference to the WORM management
clock management information 213. An operation of the time update
program 212 will be described in detail later with reference to
FIG. 6.
[0064] FIG. 4 is an explanatory diagram of the WORM management
clock management information 213 according to the first embodiment
of this invention.
[0065] The WORM management clock management information 213
contains various items named "check interval" 221 showing intervals
at which the WORM management clock is updated, "allowable
correction degree" 222 showing an allowable correction degree at
the time of the update, "time of the last update" 223 showing a
time at which the last update was made, "correction at the time of
the last update" 224 showing a correction degree at the time of the
last update, "time of the update before last" 225 showing a time at
which the update before last was made, and "correction at the time
of the update before last" 226 showing a correction degree at the
time of the update before last. The WORM management clock
management information 213 may contain an update time and a
correction degree of an update further preceding the update before
last.
[0066] In this embodiment, the check interval 211 is fixed (at 10
minutes) and the WORM management clock 128 is updated at regular
intervals, although the WORM management clock 128 may be updated at
random intervals. With the random update intervals, robustness
against time tampering by a malicious administrator is
improved.
[0067] In the example shown in FIG. 4, the allowable correction
degree 222 is set in a range of from -2 seconds to +0 second per 10
minutes. In other words, it is prohibited that the time is delayed
by more than 2 seconds per 10 minutes. Also, regardless of the
correction degree, it is prohibited that the time is advanced.
[0068] Here, the correction degree is a degree by which the time is
advanced (or delayed) at the time of update. For instance, when the
time is advanced by 1 second, the correction degree is +1 second.
Also, when the time is delayed by 2 seconds, the correction degree
is -2 seconds. The allowable correction degree 222 is an allowable
range of correction.
[0069] In the example shown in FIG. 4, correction in a direction in
which the time advances is prohibited in order to reliably protect
data, whose WORM guarantee term has not yet expired. When the time
of the WORM management clock 128 is advanced, the WORM guarantee
term will expire early. When the time of the WORM management clock
128 is intentionally or erroneously set earlier than the actual
time, this may result in a situation where data, whose WORM
guarantee term has not yet expired in actuality, is recognized as
data whose WORM guarantee term has expired, and the WORM attribute
is reset. In order to prevent such a situation, the correction in
the direction in which the time advances is prohibited.
[0070] The allowable correction degree in the direction, in which
the time is delayed, is determined in accordance with the accuracy
of the embedded clocks.
[0071] FIG. 5 is an explanatory diagram of time update at check
times according to the first embodiment of this invention.
[0072] A standard time 401 is the actual time (for instance,
Japanese Standard Time).
[0073] A time of the in-site NTP server 402 is a time held by the
in-site NTP server 5. The time of the in-site NTP server 402 is
transmitted to each of the devices in the computer system using the
NTP. The in-site NTP server 5 can not directly obtain the standard
time 401. Therefore, the time of the in-site NTP server 402 may
deviate from the standard time 401.
[0074] A time of the site clock 403 is a time held by the site
clock 129.
[0075] A time of the WORM management clock 404 is a time held by
the WORM management clock 128.
[0076] First, a check time 1 is reached (in other words, the time
of the site clock becomes "12:00:00"). In the example shown in FIG.
5, at this point in time, the standard time 401, the time of the
in-site NTP server 402, the time of the site clock 403, and the
time of the WORM management clock 404 all indicate "12:00:00".
Therefore, it is not required to perform correction on each of the
clocks.
[0077] Next, a check time 2 is reached (in other words, the time of
the site clock becomes "12:10:00").
[0078] At this point in time, the standard time 401 and the time of
the in-site NTP server 402 both indicate "12:09:59".
[0079] On the other hand, the time of the site clock 403 and the
time of the WORM management clock 404 are each "12:10:00" and are 1
second earlier than the time of the in-site NTP server 402.
[0080] In this state, the time "12:09:59" is transmitted from the
in-site NTP server 5.
[0081] The time of the site clock 403 is unconditionally updated to
the time as "12:09:59".
[0082] The time of the WORM management clock 404 also receives the
time "12:09:59" in a like manner and it is found that the
correction degree is -1 second. As described above, in this
example, the allowable correction degree 222 in the WORM management
clock management information 213 is set in a range of from -2
seconds to +0 second. In other words, the correction degree "-1
second" is within the range of the allowable correction degree 222,
so this time correction is regarded as not time tampering but
correction of a time deviation occurred due to a hardware reason.
As a result, the time correction is permitted and the time of the
WORM management clock 404 is updated to "12:09:59".
[0083] Next, a check time 3 is reached (in other words, the time of
the site clock becomes "12:10:00").
[0084] At this point in time, the time of the in-site NTP server
402 indicates "12:20:03". On the other hand, the time of the site
clock 403 and the time of the WORM management clock 404 both
indicate "12:20:00". Also, the standard time 401 is "12:20:00".
[0085] Like in the case of the check time 2, the time of the site
clock 403 is unconditionally synchronized to the time of the
in-site NTP server 402 and is updated to "12:20:03".
[0086] On the other hand, the time of the WORM management clock 404
also receives the time "12:20:03" from the in-site NTP server 5. In
this case, however, the correction degree is +3 seconds, which is
outside the range of the allowable correction degree 222.
Therefore, this update is regarded as improper update and the time
correction is not permitted.
[0087] In FIG. 5, at the check time 3, the standard time 401 is
"12:20:00". In other words, the time of the in-site NTP server 402
is 3 seconds earlier than the standard time 401. If the time of the
WORM management clock 404 is corrected so as to coincide with the
time of the in-site NTP server 402, the time of the WORM management
clock 404 becomes 3 seconds earlier than the standard time 401. In
this case, the end of the WORM guarantee term is reached 3 seconds
earlier with respect to the actual time (in other words, the
standard time 401). Accordingly, there arises a danger that data,
whose WORM guarantee term has not yet expired in actuality, may be
tampered.
[0088] According to this embodiment, however, correction to advance
the time of the WORM management clock 404 is prohibited. Therefore,
the time of the WORM management clock 404 is prevented from
becoming earlier than the standard time 401. As a result, there
will never arise a danger that data, whose WORM guarantee term has
not yet expired, may be tampered.
[0089] FIG. 6 is a flowchart of processing executed at the time of
update of the WORM management clock 128 and the site clock 129
according to the first embodiment of this invention.
[0090] The flowchart shown in FIG. 6 is executed by the time update
program 212. In FIG. 6, the NTP client program 204, the site clock
management program 206, and the WORM management clock management
program 211 each operate as a subroutine of the time update program
212.
[0091] In a step 501, the update processing is started. Then, in a
step 502, the site clock management program 206 judges whether the
current time has reached a check time.
[0092] When doing so, the site clock management program 206 may
refer to the time indicated by the site clock 129 as the current
time or may refer to the time indicated by the WORM management
clock 128 as the current time.
[0093] In this embodiment, the time indicated by the site clock 129
is referred to as the current time.
[0094] Also, in this embodiment, intervals between check times are
set with reference to the check interval 221 in the WORM management
clock management information 213. However, the check intervals for
update of the site clock 129 and the check intervals for update of
the WORM management clock 128 may be different from each other.
[0095] Also, the check intervals for the update of the WORM
management clock 128 may be set as irregular intervals. For
instance, by updating the time of the WORM management clock 128 at
random intervals, robustness against time tampering is
improved.
[0096] When it is judged in the step 502 that the current time has
not reached a check time, the processing returns to the step 502
and it is judged again whether a check time is reached.
[0097] On the other hand, when it is judged in the step 502 that
the current time has reached a check time, the processing proceeds
to a step 503 in which the NTP client program 204 obtains time
information at that point in time from the in-site NTP server
5.
[0098] Next, in a step 504, the site clock management program 206
unconditionally reflects the time obtained in the step 503 in the
site clock 129. More specifically, the site clock management
program 206 corrects the time of the site clock 129 so as to
coincide with the time obtained in the step 503.
[0099] Next, in a step 505, the WORM management clock management
program 211 computes a difference between the time obtained in the
step 503 and the time of the WORM management clock 128 at that
point in time and judges whether the computed difference is within
the range of the allowable correction degree 222 in the WORM
management clock management information 213.
[0100] When it is judged in the step 505 that the time difference
is within the range of the allowable correction degree 222, the
time correction is permitted. Therefore, in a step 506, the WORM
management clock management program 211 updates the WORM management
clock 128 to the time obtained from the in-site NTP server 5. Then,
in a step 507, the processing is ended.
[0101] On the other hand, when it is judged in the step 505 that
the time difference is outside the range of the allowable
correction degree, the time correction is prohibited. Therefore, in
the step 507, the processing is ended without updating the WORM
management clock 128.
[0102] FIG. 7 is a block diagram showing a configuration of a
computer system according to a second embodiment of this
invention.
[0103] The configuration of the computer system according to the
second embodiment is the same as the configuration of the computer
system according to the first embodiment shown in FIG. 1 except
that the Internet 601 is connected to an IP network 1 and one or
more authentication function-equipped NTP servers 602 are connected
to the Internet 601.
[0104] Devices connected to the IP network 1 are capable of
communicating with the authentication function-equipped NTP servers
602 through the IP network 1 and the Internet 601. In this
embodiment, storage systems 4 communicate with the authentication
function-equipped NTP servers 602 and obtain time information
therefrom.
[0105] The authentication function-equipped NTP servers 602 will be
described later with reference to FIG. 10.
[0106] The IP network 1, hosts 2, a SAN 3, an in-site NTP server 5,
and a management host 6 are completely the same as those shown in
FIG. 1 and therefore the detailed description thereof will be
omitted.
[0107] A configuration of each storage system 4 is the same as the
configuration of the storage system 4 according to the first
embodiment shown in FIG. 2. However, programs and management
information stored in a memory 127 are partially different from
those according to the first embodiment.
[0108] FIG. 8 is an explanatory diagram of the memory 127 according
to the second embodiment of this invention.
[0109] A configuration of the memory 127 according to the second
embodiment is the same as the configuration of the memory 127
according to the first embodiment shown in FIG. 3 except that an
external NTP server authentication program 701 for confirming the
authentication of the authentication function-equipped NTP servers
602 from the storage system 4 is added. However, the contents of a
time update program 702 and the contents of WORM management clock
management information 703 are respectively different from the
contents of the time update program 212 and the contents of the
WORM management clock management information 213 according to the
first embodiment.
[0110] A WORM management clock management program 211, a site clock
management program 206, an NTP client program 204, an input/output
control unit driver program 205, a disk array control program 202,
a data transfer control program 203, and an operating system 201
are the same as those according to the first embodiment shown in
FIG. 3 and therefore the detailed description thereof will be
omitted.
[0111] FIG. 9 is an explanatory diagram of the WORM management
clock management information 703 according to the second embodiment
of this invention.
[0112] The WORM management clock management information 703
contains various items named "check interval" 711, "authentication
function-equipped NTP server IP address" 712, and "authentication
function-equipped NTP server public key" 713.
[0113] The check interval 711 shows the intervals of update of the
WORM management clock 128.
[0114] The authentication function-equipped NTP server IP address
712 shows the IP address of the authentication function-equipped
NTP server 602 connected to the Internet 601.
[0115] The authentication function-equipped NTP server public key
713 shows the public key set in the authentication
function-equipped NTP server 602.
[0116] When plural authentication function-equipped NTP servers 602
are connected to the Internet 601, plural authentication
function-equipped NTP servers 602 may be registered in the WORM
management clock management information 703. FIG. 9 shows a state
where two authentication function-equipped NTP servers 602 (first
authentication function-equipped NTP server 602 and second
authentication function-equipped NTP server 602) are
registered.
[0117] In the WORM management clock management information 703,
more authentication function-equipped NTP servers 602 may be
registered. By registering plural authentication function-equipped
NTP servers 602, when one authentication function-equipped NTP
server 602 is stopped, another authentication function-equipped NTP
server 602 can be used.
[0118] An administrator can select reliable authentication
function-equipped NTP servers 602 and register them in the WORM
management clock management information 703 in advance. When doing
so, it is possible to register an authentication function-equipped
NTP server 602 having higher reliability in a higher place. In the
example shown in FIG. 9, the reliability of the first
authentication function-equipped NTP server 602 is the highest and
the reliability of the second authentication function-equipped NTP
server 602 is the next highest.
[0119] In this embodiment, each of the authentication
function-equipped NTP servers 602 is authenticated using its public
key. However, the authentication function-equipped NTP server 602
may be authenticated using another method. In this case, in the
WORM management clock management information 703, information for
authenticating the authentication function-equipped NTP server 602
is stored.
[0120] In this embodiment, the check interval 711 is fixed and each
clock is updated at regular intervals, although the clock update
may be performed at random intervals.
[0121] Also, although not shown in FIG. 9, by setting an allowable
correction degree 222 like in the first embodiment of this
invention, it becomes possible to make the system more robust. In
this case, the allowable correction degree 222 is stored in the
WORM management clock management information 703.
[0122] FIG. 10 is an explanatory diagram of time update according
to the second embodiment of this invention.
[0123] The storage system 4 comprises a WORM management clock 128
and a site clock 129.
[0124] Among those clocks, the WORM management clock 128 is updated
only by the authentication function-equipped NTP server 602
connected through the Internet 601.
[0125] In the WORM management clock management information 703,
information concerning the authentication function-equipped NTP
server 602 is registered in advance.
[0126] When obtaining a time from the authentication
function-equipped NTP server 602, the storage system 4 judges
whether the authentication function-equipped NTP server 602 is
registered in the WORM management clock management information 703.
When a result of this judgment is positive, the WORM management
clock 128 is updated in the manner shown in FIG. 11.
[0127] As to the site clock 129, it is more important that the
clock 129 is synchronized with the clocks of other devices in the
site than that the clock 129 is adjusted to the correct time given
by the authentication function-equipped NTP server 602.
Consequently, the site clock 129 is updated with reference to a
time given by the in-site NTP server 5.
[0128] When doing so, like the storage system 4, every device or
the in-site NTP server 5 in the computer system may obtain a time
from the authentication function-equipped NTP server 602, thereby
having the site clock 129 indicate a time that is the same as the
time of the WORM management clock 128.
[0129] Also, the time in the computer system may be synchronized
with the time of the WORM management clock 128 that holds the
correct time obtained from the authentication function-equipped NTP
server 602.
[0130] FIG. 11 is a flowchart of processing executed at the time of
update of the WORM management clock 128 according to the second
embodiment of this invention.
[0131] In FIG. 11, with respect to a broken line, processing
executed by the storage system 4 is shown on the left side and
processing executed by the authentication function-equipped NTP
server 602 is shown on the right side.
[0132] The processing shown in FIG. 11 on the left side with
respect to the broken line is executed by the time update program
702. In FIG. 11, the NTP client program 204, the WORM management
clock management program 211, and the external NTP server
authentication program 701 each operate as a subroutine of the time
update program 702.
[0133] In a step 1001, the processing for updating the WORM
management clock 129 is started. Then, in a step 1002, the NTP
client program 204 issues a time information transmission request
to a target authentication function-equipped NTP server 602 among
the authentication function-equipped NTP servers 602 registered in
the WORM management clock management information 703.
[0134] Then, in a step 1003, the authentication function-equipped
NTP server 602 that received the time information transmission
request encrypts the current time and a specific character string
using a secret key and transmits the encrypted current time and
specific character string to the storage system 4.
[0135] In this embodiment, as described above, the NTP server is
authenticated using its public key, although another method may be
used to confirm that the NTP server is a server registered in
advance.
[0136] Also, the specific character string used here may be a
character string transmitted from the storage system 4 or may be
another character string determined in advance (character string or
the like indicating the authentication function-equipped NTP server
602, for instance).
[0137] Then, the storage system 4 receives a signal transmitted in
the step 1003 from the target authentication function-equipped NTP
server 602. Then, in a step 1004, the external NTP server
authentication program 701 decrypts the received signal using the
public key of the target authentication function-equipped NTP
server 602. Here, the public key of the target authentication
function-equipped NTP server 602 is registered in the WORM
management clock management information 703 in advance.
[0138] Next, in a step 1005, the external NTP server authentication
program 701 judges whether the specific character string has been
decrypted with reference to a result of the decryption in the step
1004.
[0139] When it is judged in the step 1005 that the specific
character string has not been decrypted, this means that the public
key registered in the WORM management clock management information
703 and the secret key possessed by the authentication
function-equipped NTP server 602 that is currently under processing
do not correspond to each other, in other words, the authentication
for confirming that the target authentication function-equipped NTP
server 602 is a server registered has ended in failure.
[0140] In this case, the processing proceeds to a step 1007 in
which the external NTP server authentication program 701 judges
whether an authentication function-equipped NTP server that can be
selected as the next processing target is registered in the WORM
management clock management information 703. More specifically, for
instance, the external NTP server authentication program 701 judges
whether an authentication function-equipped NTP server 602 that is
not yet processed exists in the WORM management clock management
information 703.
[0141] When it is judged in the step 1007 that every authentication
function-equipped NTP server 602 registered has been processed,
this means that there exists no authentication function-equipped
NTP server that can be selected as the next processing target.
Therefor, the processing proceeds to a step 1009 in which the
processing for updating the WORM management clock 128 is ended.
[0142] On the other hand, when it is judged in the step 1007 that
an authentication function-equipped NTP server 602 that can be
selected as the next processing target is registered in the WORM
management clock management information 703, the processing
proceeds to a step 1008 in which the external NTP server
authentication program 701 sets the authentication
function-equipped NTP server 602 as a new target authentication
function-equipped NTP server 602. Then, the processing returns to
the step 1002.
[0143] On the other hand, when it is judged in the step 1005 that
the specific character string has been decrypted, this means that
the target authentication function-equipped NTP server 602 is
confirmed to be a server registered in the WORM management clock
management information 703. Therefore, the processing proceeds to a
step 1006 in which the WORM management clock management program 211
updates the WORM management clock 128 to the time transmitted from
the target authentication function-equipped NTP server 602. Then,
in the step 1009, the processing for updating the WORM management
clock 128 is ended.
[0144] FIG. 12 is an explanatory diagram of a management screen
according to the second embodiment of this invention.
[0145] The management screen 1101 is a screen displayed on an
input/output device (not shown) of the management host 6. The
administrator of the computer system according to this embodiment
is capable of making settings concerning the update of the WORM
management clock 128 by operating the management screen 1101 and
inputting information thereinto.
[0146] The management screen 1101 is composed of a check button
1102, an update interval setting field 1103, and usage NTP server
setting fields 1104 and 1105.
[0147] The check button 1102 is used to make a setting as to
whether the WORM management clock 128 is to be managed using the
external authentication function-equipped NTP server 602.
[0148] For instance, by operating the check button 1102 with a
mouse (not shown), it is possible to perform switching between "ON"
and "OFF" of the check button 1102. For instance, when the check
button 1102 is set "ON", a check mark is displayed on the check
button 1102. FIG. 12 shows a state where the check button 1102 is
set "ON".
[0149] When the check button 1102 is set "ON", the authentication
function-equipped NTP server 602 is used to update the WORM
management clock and the flowchart shown in FIG. 11 is
executed.
[0150] When the computer system according to this embodiment is not
connected to the Internet 601 or when there exists no
authentication function-equipped NTP server 602 that is reliable,
for instance, it is possible to set the check button 1102
"OFF".
[0151] The update interval setting field 1103 is used to set
intervals of update of the WORM management clock 128. FIG. 12 shows
a state where the intervals, at which the WORM management clock 128
is updated, are set to 10 minutes. The administrator is capable of
setting arbitrary update intervals by operating the update interval
setting field 1103. The set update intervals are registered as the
check interval 711 in the WORM management clock management
information 703.
[0152] The usage NTP server setting fields 1104 and 1105 are used
to register the authentication function-equipped NTP servers 602
that are to be used at the time of the update of the WORM
management clock 128. In the usage NTP server setting fields 1104
and 1105, the IP addresses of the authentication function-equipped
NTP servers 602 are inputted. The IP addresses inputted here are
each registered as the authentication function-equipped NTP server
IP address 712 in the WORM management clock management information
703.
[0153] In FIG. 12, the usage NTP server setting field 1104
corresponds to an NTP server first candidate and the usage NTP
server setting field 1105 corresponds to an NTP server second
candidate. In the flowchart shown in FIG. 11, the authentication
function-equipped NTP servers 602 are processed in order, with the
authentication function-equipped NTP server 602 registered as the
NTP server first candidate (in other words, the authentication
function-equipped NTP server in the highest place) being processed
first. For instance, the authentication function-equipped NTP
server 602 closer to the computer system on the Internet 601 is set
as a candidate in a higher place.
[0154] For instance, the IP address set in the usage NTP server
setting field 1104 for the NTP server first candidate is registered
as the first authentication function-equipped NTP server IP address
712 A and the IP address set in the usage NTP server setting field
1105 for the NTP server second candidate is registered as the
second authentication function-equipped NTP server IP address 712
B.
[0155] It should be noted that in the management screen 1101, more
usage NTP server setting fields may be provided.
[0156] Also, authentication function-equipped NTP servers 602 may
be selected from among authentication function-equipped NTP servers
602 determined in advance.
* * * * *