Browse Prior Art Database

(BC) - Access control of blade users to blade chassis management information and flows

IP.com Disclosure Number: IPCOM000021331D
Original Publication Date: 2004-Jan-14
Included in the Prior Art Database: 2004-Jan-14
Document File: 7 page(s) / 85K

Publishing Venue

IBM

Abstract

Idea 1: Security Zones within a BladeChassis System A BladeChassis system can be made to have security zones by using a representation of different security zones within a management module and having the management module create the zones by configuration of the integrated chassis switch.

This text was extracted from a PDF file.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 38% of the total text.

Page 1 of 7

(BC) - Access control of blade users to blade chassis management information and flows

     This publication illustrates: Idea1: SECURITY ZONES: This publication illustrates an apparatus comprising a chassis with a plurality of blades, a chassis/central management module and a plurality of switch modules and a method in which the apparatus creates distinct security zones within the apparatus. The zones comprise a chassis management zone and a plurality of user zones with multiple levels of authority/security within the zones.

The method of zone creation comprising the steps of
1) a user representation of the zones within the management entity,
2) a linkage of the zone representation to the switch(es),
3) the instantiation of the zones by the switch. The representation of the zones is a tree with the chassis management at the top, user zones as leaves, with each leaf of a given layer able to access all leaves in lower layers.

    Zone representation is illustrated in the following figure, Figure 1: A member of the Chassis Management zone can access all functions in the UserX_Zones and in UserX.Y_Zones. A user in Userx_Zone can access all functions in the Userx.Y_Zone. A user in the User1_Zone can not access users in the User2_Zone and likewise a user in User1.1_Zone can not access a user in the User1.2_Zone except via a level 3 device such as a router. For the purposes of this publication, a router is outside the scope of the apparatus. Chassis Management Zone

/ \

User1_Zone User2_Zone......................

/ \ / | \

User1.1_Zone User1.2_Zone User2.1_Zone User2.2_Zone User2.3_Zone

Figure 1: Zone Representation

    The linkage of the zone representation is via a command line interface to the switch with the management module sending switch VLAN configuration commands either on demand of the user(s), periodically or when zone representation change is made.

    The separation of zones at the leaf and subleaf levels are via port and/or tagged VLANs created by the switch(es). There are multiple VLAN methods for creation of zone separation. One method is for all zones to be distinct VLANs with users given membership in multiple VLANs, as illustrated in Figure 1b. Chassis Management Zone (VLAN1)

/ \

User1_Zone (VLAN2) User2_Zone......................
(VLAN3)

/ \ / |

1

Page 2 of 7

Page 3 of 7

Chassis

Management Module

Blad e "N-1 "

Blade "N"

Blade 1

Embedded Switch

Chassis Management Security Zone

User1 Administrative Security Zone

User

2.1

System

User

1.1

System

User2.1 Security Zone

User1.1 Security Zone

User 2 Admin. System

User 1

 Admin Systems

User2 Administrative Security Zone

Figure 2: Security Zone Illustration, 1 Management Zone, 2 User Administrator Zones, 2 User Zones For example, IBM offers an OnDemand service and provisions 2 customers - Cust1 & Cust2 on the same BladeChassis. The following table illustrates zones within a BladeCenter and their access by role. This table corresponds to Figure 2: red is Cust1, blue is Cust2.

Zones ---->

yes yes...