When the ftStorage array was originally conceived the thinking was that when it was necessary to configure something on the array administrators would use either the command line interface from an OpenVOS login session or the OpenVOS console PC to access the GUI interface. Many administrators prefer the GUI interface. Unfortunately, the console is connected to the maintenance network and located somewhere close to the system. This makes it inconvenient for most administrators – especially administrators for lights out installations. There are however, several solutions that allow a remote connection to the GUI interface.
Remote Desktop into the console
Since the console is a PC, one solution is to add another network adapter to it. This second adapter is then connected to a network that has remote access. System Administrators then use a remote desktop client to connect to the console PC and effectively sit down in front of the console’s screen, keyboard and mouse. The main advantage of this approach is that no extra software is required, remote desktop software is already on the console PC and is probably on the administrator’s workstation. The main disadvantage besides of course having to add the network adapter and connect it to the network, is weak security; anyone with access to the remote network has access to the console PC. Even if they do not have a login account they have the access to try to hack into the PC and from there into any of the devices on the maintenance network including the OpenVOS system.
This assumes that the system administrator is working from a workstation that is on the same local subnet as the OpenVOS system attached to the ftStorage array. Three things need to be configured for this to work. First, on the administrator’s workstation a route going to the storage array needs to be set up using the OpenVOS system as the gateway. Second, you need to configure the ftStorage array to have a default route that uses the OpenVOS system as the gateway. Third, the OpenVOS system must be configured to forward packets. The main advantage of this approach is that no extra software is needed. The disadvantages are the requirement that the administrator’s workstation be on the same subnet as the OpenVOS system and that OpenVOS be configured to forward packets. This can be considered a security risk since in general you cannot tell OpenVOS which packets to forward or not to forward (but see A host based firewall for VOS).
SSH tunneling from VOS
If “OpenSSL and OpenSSH for VOS” is installed on the OpenVOS system it is possible to create a port forwarder that would allow anyone with TCP access to the OpenVOS system to connect to the ftStorage array. Assuming that the ftStorage array is located at 10.10.1.20 the command would be
>system>openssl>bin>ssh -2TNxg -L 49876:10.10.1.20:80 [email protected]
Where USERNAME is the login name of the administrator. If the administrator has set up a public key on the OpenVOS system he can add that key to his authorized_keys file and he will not be prompted for a password. That means that he could run the command as a started process. See Setting up Stratus STCP SSH to use public key authentication.
start_process ‘>system>openssl>bin>ssh -2TNxg -L 49876:10.10.1.20:80 [email protected]’ -output_path foo.out -process_name foo
Once the command is running the administrator would start his browser on his workstation and use the URL “http://openvos-system-name:49876/”, where OpenVOS-SYSTEM-NAME is the name or IP address of the system.
The main advantage of this approach is that no extra software is needed on the workstation. Also if SSH is run as a started process, it only has to be started once and can be used by multiple administrators at multiple times. The main disadvantage is again weak security; anyone, not just registered users, from anywhere with TCP connectivity to the OpenVOS system would have access to the ftStorage gateway. There is no login authorization on the VOS system, although the ftStorage array does require a user ID and password. I would not implement this approach without a firewall protecting the local port selected as the listening end of the tunnel (again A host based firewall for VOS).
SSH tunneling from the workstation
Again, if “OpenSSL and OpenSSH for VOS” is installed on the OpenVOS system it is possible to set up a PC based tunnel that would allow port forwarding from the PC. The main advantage of this approach is strong security, it requires VOS authentication to set up the tunnel and encrypts all packets between the workstation and OpenVOS. The main disadvantage is that each administrator has to set up the tunnel each time they want to use it and they need SSH software installed on their workstation.
There are several SSH software packages that I am familiar with. If all you are planning on doing is setting up an SSH tunnel, PuTTY is the simplest to use. It is also free; you can download it from http://www.chiark.greenend.org.uk/~sgtatham/putty/.
The following steps can be used to configure PuTTY 0.60 which was the current version of Putty at the time this blog was released..
When PuTTY is started it brings up a configuration dialog. In the category section in the left part of the dialog expand the SSH section and select tunnels. In the source port edit box enter the local port number that the workstation will listen on, in figure 2 it is 49876. In the destination edit box enter the IP address of the ftStorage array, a colon and the port number 80, 10.10.1.20:80 in figure 2. Press the add button to move that information from the edit boxes to the “Forwarded ports” display in the middle of the right hand side of the dialog.
Now select the SSH category. Under “Protocol options” check the “Don’t start a shell or command at all” and “2 only”. SSH protocol version 1 is no longer considered secure and should never be used.
Now go back up to the Session category and fill in the Name or IP address of the OpenVOS system and press Open
PuTTY will prompt for the user name and after making the connection the password. At that point, assuming there are no errors you can minimize the window or just leave it in the background. Do not close the window or you will lose your connection.
Finally, open a browser and enter the URL 127.0.0.1:49876
When you are done close the browser or at least the tab connected to the ftStorage array and then close the PuTTY window.