Technical white paper

HP 3PAR StoreServ
Secure Service Architecture
Table of contents
Executive summary ...................................................................................................................................................................... 2
Features of HP 3PAR SSA ........................................................................................................................................................ 2
HP 3PAR Secure Storage Architecture ...................................................................................................................................... 2
Separation of storage .............................................................................................................................................................. 2
Service processor .......................................................................................................................................................................... 3
Diagnostic services ................................................................................................................................................................... 3
Periodic data collection............................................................................................................................................................ 4
Event data collection and analysis ........................................................................................................................................ 5
STaTS ........................................................................................................................................................................................... 6
HP 3PAR Central Secure Service Collector Server ............................................................................................................. 6
No single point of failure ......................................................................................................................................................... 7
Secure service transmission ....................................................................................................................................................... 7
HTTPS .......................................................................................................................................................................................... 7
HP 3PAR Certificate of Authority ........................................................................................................................................... 7
Network address translation .................................................................................................................................................. 8
HP 3PAR StoreServ network port assignmentsNode................................................................................................... 8
HP 3PAR StoreServ network port assignmentsSP........................................................................................................ 9
Data transfer service selection................................................................................................................................................... 9
Moment of Birth ........................................................................................................................................................................ 9
Secure Site .................................................................................................................................................................................. 9
Common computing evaluation .......................................................................................................................................... 10
Customer controlled access setting ................................................................................................................................... 11
HP 3PAR Policy Server ........................................................................................................................................................... 11
Pre-stage HP 3PAR software components on HP 3PAR Service Processor .............................................................. 12
HP 3PAR Service Processor status indications ..................................................................................................................... 12
SPOCC website ......................................................................................................................................................................... 12
HP 3PAR Service Processor SSH port 22 menu ............................................................................................................... 13
Frequently asked questions...................................................................................................................................................... 13
Terminology ................................................................................................................................................................................. 14

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Executive summary
HP 3PAR StoreServ Storage arrays are rapidly being adopted into many secure IT data centers. With this adoption, comes
the need for customers to rely on HPs ability to securely provide a proven secure communication service and architecture
between the HP 3PAR Systems and the HP 3PAR Central remote monitoring facility.
The HP 3PAR Secure Service Architecture (SSA) provides this secure service communication architecture by providing a path
to communicate secure diagnostic data transmissions and remote service connections where enabled.
Secure communication between the customer site and HP 3PAR Central is paramount in ensuring timely and accurate
data collection of diagnostic data. Data, which is captured is stored and constantly reviewed using advanced tools within
HP 3PARs diagnostic center. These tools can provide advanced warnings on any issues which may arise with a customers
HP 3PAR array and allow HP 3PAR Central to notify customers of a pending issue. Customer data stored on the array in the
form of a virtual volume is never collected or accessible by HP 3PAR SSA.
Remote monitoring is an important feature of the HP 3PAR StoreServ Storage System solution. 1 It enables HP to detect,
analyze, and proactively resolve any issues and to provide the best customer experience.

Features of HP 3PAR SSA

Provides timely and proactive response to monitored issues within the HP 3PAR array
Capture critical performance data for advanced analysis at HP 3PAR Central
Notification and stage HP 3PAR OS upgrades on HP 3PAR 7000 and 10000 arrays
Remote service connection for advanced troubleshooting with HP 3PAR support engineers
Historical collection of statistics on each HP 3PAR Storage array
All assigned ports used on HP 3PAR StoreServ systems follow the universal standards in securing data as outlined by the

Internet Assigned Numbers Authority iana.org

HP 3PAR SSA uses industry-standard mechanisms to support the transfer of data in a secure method. All data, which is
transferred between the users site and HP 3PAR Central is done via authentication and negotiated ciphers.
Users who deploy the HP 3PAR StoreServ array are given options by which the array can be monitored. These options
include a secure site where all ports to and from the array are encrypted and no transmissions of array status are allowed
to the most common deployment of a closely monitored array. This paper is designed to address these options.

HP 3PAR Secure Storage Architecture

Separation of storage
Separation of storage simply means the HP 3PAR Storage array does not internally connect to HP 3PAR Central.
Communication to HP 3PAR Central is done via the HP 3PAR Service Processor or a VSP; which type of SP deployed is
dependent upon the customer and the array type purchased.
HP 3PAR 7000 customers have the option to choose between deploying a VSP or a physical SP. A VSP can be deployed on
either an ESX VMware system using a vmdk distribution file or on a Microsoft Server using Hyper-V.
In all other configurations, the HP 3PAR Service Processor will be a dedicated hardware system purchased with the
HP 3PAR storage array. In either of the two deployment models, the VSP will communicate with the HP 3PAR StoreServ
array in the same manner as a physical HP 3PAR SP. 2 Whichever the case, these servers run a specific host OS specific to
HP 3PAR array management and cannot be positioned to run any other services. Figure 1 displays an overview of the
HP 3PAR array connections.

1
2

h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-3528ENW&cc=us&
h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-2044ENW&cc=us&lc=en

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Figure 1. Secure storage connections

Service processor
The HP 3PAR Service Processor is an important component of the HP 3PAR StoreServ array. The HP 3PAR Service Processor
serves as a communications interface within the customers IP network environment for all service related communications
to and from the HP 3PAR StoreServ array.
The HP 3PAR Service Processor deploys the SPOCC software, which is a suite of service tool applications which provide a
web-based user interface for support of the HP 3PAR Service Processor and the HP 3PAR StoreServ array.
The SP OS is built on top of a Linux distribution that has been stripped down to contain only those packages which are
required to be included in the SP release. Remote login is a form of SSH and HTTPS (SPOCC), this capability can be controlled
or disabled. In the case where it is disabled, access is available via a serial cable. Additional hardening is enforced by the
application suite including an iptables packet filter and the customers ability to harden their network environment.

Diagnostic services
Diagnostic services is the process whereby the HP 3PAR Service Processor accumulates diagnostic data from the HP 3PAR
StoreServ array and periodically transmits the data over a secure network communication to HP 3PAR Central. Diagnostic
data, which is received is scanned to ensure proper health of the array during the collection period. Any abnormalities found
would be followed up by further troubleshooting and possible dispatch of field personnel to remedy any diagnosed
inconsistencies.
All customer-authorized remote service connections, as shown in figure 2, to a customer HP 3PAR StoreServ array will
leverage the HP 3PAR Service Processor as the connection point. All array service actions are directed through the HP 3PAR
Service Processor. It should be noted that in the below example, the connection is enabled by the customer to allow remote
access to HP Technical Services.

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Figure 2. Remote service connection

All diagnostic data that is captured on the HP 3PAR Service Processor is sent to HP 3PAR Central for further processing,
data includes:
System health information
Configuration data
Performance data
System events

Note
It is important to clarify that data collected by the SSA is only diagnostic data, all user data is safe and never accessible to
the collection agents used by the SSA. End user data stored on the array itself is not collected, and is not visible to the
support engineer.

Periodic data collection

There are two categories of data collection, which is captured on the HP 3PAR Service Processor. First type of data collection
is a periodic data collection. Data on an hourly basis is captured and stored temporarily on the HP 3PAR Service Processor.
Once every four hours, data which was captured during the preceding four hour timeframe is sent via an HTTPS connection
to HP 3PAR Central for review and analysis. This process, which is illustrated in figure 3 is periodically collected and
transferred to HP 3PAR Central for analysis. A good example of this type of data transfer is installation of additional disks in
the HP 3PAR StoreServ Array. The admittance of the new physical disks would be viewed as a non-critical event and would
not need any further analysis or remedial action. The transfer of this data type would be considered informational.
HP 3PAR Central keeps track of the four hour call home status received from the customers SP. If the SP fails to call home,
the monitoring mechanisms within HP 3PAR Central will record the status of File Transfer Overdue. The file transfer
mechanism is the heartbeat of the HP 3PAR StoreServ subsystem. If the heartbeat is not received within the four hour
window, Technical Services will be notified of the failure of transmitted data.
Figure 3. Periodic data collection

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Event data collection and analysis

The second type of data collection is immediate event data collection. An immediate data event can be categorized into the
following two categories.
Majoran event which can disrupt processing of data on the HP 3PAR StoreServ Array, an immediate response is needed

to remedy the event

Minoran event which is monitored and may result in an actionable remedy

Event analysis for events which occur on the HP 3PAR StoreServ Array is aided by an internal process which runs on the
HP 3PAR Service Processor and at HP 3PAR Central. The tool identified as FAST or Fault Analysis Support Tool as shown in
figure 4 uses a complex set of rules to determine the severity of the event which occurred on the HP 3PAR StoreServ Array.
Analytics run on the HP 3PAR Service Processor contains a set of rules, which can help determine the severity of the event.
As an example, a physical disk within the array reports a read error on a particular block of data. Through the normal
operations on the HP 3PAR StoreServ array, the user would not be notified of this event since these events can be a
common day event. The FAST rules set would note this event on the HP Service Processor and forward it to HP 3PAR
Central. HP 3PAR Central using FAST Analytics would also note this event but also look for event history within the HP 3PAR
STaTS database (covered in next section). FAST at HP 3PAR Central would see over the past three days the HP 3PAR
StoreServ array has recorded 10 of these events.
Identifying that there have been 10 of these events in 3 days and comparing this against the rules database at HP 3PAR
Central would result in an actionable event in which the physical disk should be replaced as a precautionary measure.
Figure 4. FAST Analytics

The FAST Analytics tool features include the following:

Analysis of event files
Analysis of node and application dumps
Report generator
Historical event timeline maintained for each reporting HP 3PAR StoreServ Array
External notifications

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

STaTS
Data collected via the HP 3PAR SSA is stored in a central repository known as STaTS. STaTS allows authorized HP Technical
Service personnel access to historical performance, event, and configuration data from customers HP 3PAR StoreServ arrays.
Figure 5 illustrates the data flow for the HP 3PAR Service Processor and HP 3PAR Central.
Figure 5. STaTS database

The HP 3PAR Central Secure Service Collector Server (discussed in a later section) is the main interface between the users
HP 3PAR Service Processor and HP 3PAR Central. Files received via a secure HTTPS connection are forwarded onto a
number of file watch servers. These servers identify information, which has been passed onto them and marks them for
processing. In the example above we have event data, performance data, and administrative data.
Different data collections will result in different actions, a failed physical disk drive will raise a service alert, while heartbeat
information from a remote HP 3PAR Service Processor will just be logged to keep track that the remote site is correctly
connecting and sending data. Data which is stored within the STaTS database can only be accessed by securely
authenticated and authorized HP employees; these may be members of the HP Technical Services organization and
Storage Solution Architects.

HP 3PAR Central Secure Service Collector Server

The HP 3PAR Secure Service Collector Server is a central collection server within HP 3PAR Central for the collection of all
service data sent by the SP. Once data is received by the collector, HP support personnel can review collection data and
follow up any items noted in the data received. Data received at the HP 3PAR Central Secure Service Collector Server
includes the following:
System health information
Configuration data
Performance data
System events

The HP 3PAR Secure Service Collector Server communicates with the customers HP 3PAR StoreServ Service Processor
through an HTTPS connection. All communications are initiated, controlled and driven by the SP in the field. The Collector
Server never initiates the communication, it just responds to the communication from the SP. Figure 5 illustrates the
connection point between the SP and internal servers within HP 3PAR Central. All data transmissions are done through
secure communication and no clear text data is ever sent. All data transferred is dependent upon using a Certificate of
Authority issued by HP 3PAR and a secure cipher. Ciphers used in data transmission include, aes256-ctr, aes192-ctr,
aes128-ctr, arcfour256, aes256-cbc, aes192-cbc, and aes128-cbc.

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

No single point of failure

The HP 3PAR StoreServ subsystem is designed so that there is no single point of failure. Diagnostic data collection is stored
in various locations within the diagnostic system.
Upon initialization of the HP 3PAR array and admin volume is created on the array. This admin volume is integral part of the
HP 3PAR OS. Event information is stored on part of the admin volume.
On the HP 3PAR Service Processor, there is a folder where diagnostic data is collected and stored. In the event the SP
cannot communicate with HP 3PAR Central, the data will be stored until such time the connection becomes available.
For customers who operate a secure site where no outside connections are allowed, the customer can retrieve collected
data from the SP and then transfer the collected data to an anonymous FTP site for processing.
Data collected and then transmitted to HP 3PAR Central is kept active for approximately 30 days. Once data exceeds the
30 days, the data is archived and kept for one year. The database in which the data is collected and stored consists of
multiple HP 3PAR clustered arrays for optimal storage configuration.

Secure service transmission

HTTPS
Hypertext Transfer Protocol Service (HTTPS) is a communications protocol for secure communication transfer of data over
a computer network. HTTPS utilizes the SSL/TLS protocol security standards to securely transfer data within a computer
network. The security therefore in HTTPS is that of the TLS standard, which uses secret keys to encrypt the data flow
between the client and the server.
The secure data transfer between the user site and HP 3PAR Central is illustrated in figure 6.
Figure 6. Secure service transmission

The data transfer between the HP 3PAR Service Processor and HP 3PAR Central is accomplished in a secure fashion and
employs the following standards.
Data transmission between customer site and HP 3PAR Central use HTTPS and are secure
HP 3PAR Service Processor initiates all communications in an outbound manner
Data authentication at HP 3PAR Central uses a Certificate of Authority authenticated by VeriSign
Data is not transferred in clear text

This paper is intended to brief the user on methods used by HP 3PAR to secure data transfer, any secure protocols used in
the secure transfer are beyond the scope of this paper.

HP 3PAR Certificate of Authority

A Trusted Certificate is used to make secure connections from the HP 3PAR Service Processor to HP 3PAR Central.
This CA is used to avoid malicious attempts to gain access to confidential customer data. HP 3PAR deploys a CA, which
is authenticated for use by VeriSign. This CA cannot be substituted when communicating between the HP 3PAR Service
Processor and HP 3PAR Central.
Certificate used in communication with CLI/MMC/SSMC
The user however, can change the CA to administer their own CA within their data center when using communication to the
HP 3PAR StoreServ array. An example of a customer using their own CA would be the communication link between the MC
and the HP 3PAR StoreServ array. Figure 7 is an example of a secure data transmission using SSH Port 22.

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Figure 7. HP 3PAR Service Processor to HP 3PAR Communication

To manage these CAs, HP 3PAR includes four tools within the HP 3PAR StoreServ OS by which the user may manage their
own CAs.
CretecertAllows the creation of a self-signed certificate or a certificate signing request
ImportcertOnce the user has a signed CSR, it and CA are imported with the Importcert command
ShowcertDisplays a table of certificate metadata and their uses
RemovecertClears out unused certificates

Network address translation

NAT is the methodology of modifying network address information in the Internet Protocol datagram packet headers while
they are in transit across a traffic routing device for the purpose of remapping one IP address space into another.
As outlined earlier, the SP uses SSH to validate authentication between the SP and the HP 3PAR StoreServ array.
The IP address of the SP is part of the SSH key as a validation to the array. If we were to support NAT, the remapping of
the IP address, which is known by the array would invalidate the SSH key and thereby would not allow authentication
between the SP and the HP 3PAR StoreServ array. HP 3PAR does not support NAT on the HP 3PAR StoreServ Array.

HP 3PAR StoreServ network port assignmentsNode

The following is a collection of ports assigned on the HP 3PAR StoreServ array. Reference to each of the ports shown can be
verified through the Internet Assigned Numbers Authority (iana.org)

Port

Use

22

SSH daemon (required) communication between SP and HP 3PAR StoreServ array as well as optional use for end-user
CLI (listener)

123

(UDP) NTP (required) peer communication for NTP

161

SNMP agent (optional) communications between third-party SNMP manager and HP 3PAR SNMP agent (listener)

162

SNMP trap origination (optional) source port for unsolicited SNMP traps to third-party SNMP manager (source)

427

SLP (optional) CIM required in CIM/SLP are to be used (listener)

5781

Event consumer interface (required) communication between SP and HP 3PAR StoreServ array as well as some
RM/VM/VASA event logic is used (listener)

5782

CLI unsecured (optional) provides plain text access to the CLI if end user chooses to use it

5783

CLI secured with TLS (required) encrypted access to CLI, SP to HP 3PAR StoreServ nodes communication as well as
end user CLI usage

5988

CIM (optional) unsecured web services access for CIM clients if customer wishes to use plain text access

5989

CIM (optional) encrypted web services access for CIM clients if customer wishes to use encrypted access

8008

Web Services Application Program Interface (unsecure)

8080

Web Services Application Program Interface (encrypted)

8443

Secure port used by Management Console in the transmission of data to and from HP 3PAR StoreServ array if
checkbox is checked at the bottom of the login screen. (Note, with the release of SSMC in late 2014, this is the
default communication protocol)

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

HP 3PAR StoreServ network port assignmentsSP

The following is a collection of the ports assigned on the HP 3PAR StoreServ Service Processor.
Port

Use

22

SSH daemon (optional) if customer wants to connect to SP using SSH

443

Web server (required) secure access to the SP GUI

123

(UDP) NTP (required) peer communications for NTP

Data transfer service selection

To this point in the paper, we have identified HP 3PAR Service Processor as the tool used in helping customers and HP 3PAR
support personnel maintain high level of uptime on the HP 3PAR StoreServ array. We have also identified the data acquired
by the HP 3PAR Service Processor to monitor performance of the array, do predictive analysis of event data generated by
the HP 3PAR StoreServ array, and monitor system health.
Getting all this important data to HP 3PAR Central is another key element of the overall support strategy. Prior to
installation of the HP 3PAR StoreServ array, a questionnaire will be sent to the user or in the case where the array is
self-installed, the HP 3PAR SmartStart Tool will be deployed. The information used to deploy the HP 3PAR StoreServ
array will guide the user or installation team in properly installing the HP 3PAR StoreServ array.

Moment of Birth
MOB is the initialization of the SP or VSP. Independent of which SP you use, the MOB initializes and sets up the SP for
communication between the HP 3PAR StoreServ array and HP 3PAR Central. During the MOB process, the user will be
required to supply some parameters, which will be used for communication. The MOB tool is executed by HP Field Service
Personnel at the time of installation on any HP 3PAR 10000 array. On the HP 3PAR 7000 series this tool is replaced by a
Setup Wizard. Information provided in this section is used for reference in answering the pre-installation questionnaire prior
to the array installation.

Secure Site
A secure site is a site where the SP is not allowed to access the Internet as illustrated in figure 8. The SP will only have
access to the HP 3PAR StoreServ array. All other functions as to connections to HP 3PAR Central will not be connected.
Figure 8. Secure site installation

Customers who choose this option should still register their HP 3PAR StoreServ array with HP 3PAR. Once the array is
registered, customers can still utilize monitoring functions by manually uploading collected data from the SP to an
anonymous FTP site.
Customer sites, which have security policies restricting outbound connectivity between the HP 3PAR Service Processor and
HP 3PAR Central are able to maintain some limited remote monitoring by utilizing a manual transfer method. HP strongly
recommends wherever possible that customers do have their HP 3PAR Service Processor connected to HP 3PAR Central.
The specifics for this procedure are covered in a SAW article. Please refer to this article for complete instructions
HP 3PAR StorageHP 3PAR Service Processor weekly file retrieval process

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Common computing evaluation

During out of the box initialization of the HP 3PAR StoreServ 10000 array, the user will be queried as to Will the HP 3PAR
StoreServ array be used in a Common Computing Evaluation? The information provided in this section refers to installation
of the HP 3PAR StoreServ 10000 array. Users who deploy HP 3PAR StoreServ 7000 arrays should skip this section. This
section is supplied to help customers answer questions from the pre-installation questionnaire.

Note
You have the option to disable non-encrypted ports. Common criteria evaluated installations require this. However, doing so
will disable SP event handling, Recovery Manager for VMware, SRA, and CLI connections with default parameters. Therefore,
you should only answer Yes to the below question if there is strict requirement for all connections to be encrypted as per
common computing requirements.

Disable non-encrypted ports [y/n]

The users reply to this question has great implications on the setup of the HP 3PAR StoreServ array. Figure 9 illustrates the
outcome if the user replies Yes to the question.
Figure 9. Answering Yes to CCE

YesIf the user answers Yes to the question, then the HP 3PAR StoreServ array will enable encryption on all ports on

the array. The result of enabling encryption is only processes that use encryption can communicate with the HP 3PAR
StoreServ 10000. Figure 9 illustrates access by the SP to the array is blocked by the ports within the array.
NoIf the user does not enable CCE, the user will allow non-encrypted data to use the ports on the HP 3PAR

StoreServ array.
By answering No, the securing of data is left to the application level. An application level example is the use of CLI, CLI
can be transmitted in an unsecure method by using port 5782 or in a secure method by using port 5783. Identity of each
HP 3PAR StoreServ subsystem ports and their transport mechanisms was covered earlier in the paper.
Refer to the HP 3PAR InForm OS Common Criteria Administrators Reference Guide for more information. As a note, CCE is
not available on the HP 3PAR StoreServ 7000 array.

10

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Customer controlled access setting

CCA allows the user to limit the network communication of external sources inbound and outbound to the HP 3PAR
Service Processor. There are three settings mode, which enable communication of the HP 3PAR Service Processor to
HP 3PAR Central:
Turn off HP 3PAR Central communicationThis setting blocks all communication between the HP 3PAR Service

Processor and HP 3PAR Central as well as any other inbound/outbound communication 3

Set outbound only communicationThis setting allows the HP 3PAR Service Processor to send data outbound to

HP 3PAR Central but all inbound communications are blocked

Set bi-directional communicationThis setting allows for communication both in and out of the HP 3PAR Service

Processor including remote access by qualified HP 3PAR Support Personnel and allowing HP 3PAR Central to stage on the
HP 3PAR Service Processor new software updates.

HP 3PAR Policy Server

The HP 3PAR Policy Server software is a server-based software application that allows customers to define and implement
remote service access policies. This software application resides on a customers network and sets and controls all secure
service permissions. With the HP 3PAR Policy Server, customers can allow or deny outbound communications or remote
service connections to and from HP 3PAR StoreServ arrays. The HP 3PAR Policy Server also serves as a centralized
collection point for collecting and storing audit log files of all diagnostic transfers and authorized remote service
connections to and from HP 3PAR StoreServ arrays managed by the policy server.

Note
The Policy Server supersedes and effectively disables the CCA mechanism which was previously described. The Policy Server
gives the end user greater granularity of control and improved audit capability.

Figure 10. HP 3PAR Policy Server

Figure 10 illustrates the implementation of the HP 3PAR Policy Server within a customer environment. The HP 3PAR Policy
Server is used in the authentication of access to the HP 3PAR StoreServ environment. The HP 3PAR Policy Server is a
licensed feature.
The HP 3PAR Policy Server supports SSL/TLS protocols and uses either port 443 or 8443 with the application. During the
installation of the policy server, it will be configured with an SSL protocol. The connection of HP 3PAR Service Processor to
the policy server is defined at the MOB on the SP. The policy server can be added any time after the SP MOB, the SP can be
changed to reflect the addition of the policy server.
The HP 3PAR Policy Server offers the following features:
Provides flexible and granular control in defining and implementing remote services access policies
Allows centralized audit for all devices being managed
Provides a secure audit log for the purpose of reporting and compliance
3

HP Document QL22696586

11

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Pre-stage HP 3PAR software components on HP 3PAR Service Processor

A software change was implemented in the HP 3PAR Service Processor beginning with version 4.2 on the HP 3PAR Service
Processor. In support of customer self-upgrades on the HP 3PAR StoreServ 7200, 7400, and 7450, HP started pre-staging
upgrades to the HP 3PAR Service Processor when permitted. HP 3PAR Central will periodically push software updates and
patches to a folder location on the HP 3PAR Service Processor.
Pre-staging the software does not institute the upgrade process, the customer is still required to initiate the upgrade
process using the upgrade tool contained within the HP 3PAR Service Processor Onsite Customer Care located on the
HP 3PAR Service Processor. For information regarding upgrading software, please refer to hp.com/support/manuals on
all documentation pertaining to upgrade HP 3PAR OS.
Figure 11 illustrates the process in which HP 3PAR OS updates is transferred.
Figure 11. HP 3PAR OS updates

Data transmissions between HP 3PAR Central on users site uses HTTPS and secure SSL
HP 3PAR Contrail initiates request to transfer HP 3PAR OS updates
If update is authorized, HP 3PAR Central initiates handshake and Certificate of Authority Verification
Secure cipher is negotiated and software updates of the HP 3PAR Storage components are staged on HP 3PAR

Service Processor
All data is staged on HP 3PAR Service Processor, no data is communicated to HP 3PAR StoreServ array
Customer is notified of upgraded software that is pending on the HP 3PAR Service Processor

HP 3PAR Service Processor status indications

A key element in monitoring for optimal operation of a users HP 3PAR StoreServ array is the indication that data being
monitored is transmitting status information from the HP 3PAR Service Processor. The user can inquire about these
operations using a secure port login on port 443 for the web server or an SSH login from port 22 using a connection
program such as PuTTY.

SPOCC website
The SPOCC website login page displays the status of the HP 3PAR Service Processor. The home page displays the following
information regarding both the HP 3PAR Service Processor and the HP 3PAR StoreServ array.
SP versionCurrent code version of the HP 3PAR Service Processor
HP 3PAR StoreServ OS versionCurrent version of HP 3PAR OS and notification of new version of HP 3PAR OS, which has

been staged on the SP

CCACustomer controls network access to SP, selections are:

Turn off HQ communications

Set outbound only HQ communications; no remote access
Set bi-directional HQ communications; remote access allowed
Enable automatic software download from HQ
Remote operationsTransfer medium i.e., Ethernet
SP firewall statusDisplays the SP Firewall Control
Transfer statusStatus of the ability to transfer data from the SP (see figure 11)
SP process statusDisplays all currently collecting processes on the SP
SP storage space statusDisplays the status of space available on SP disk

12

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Figure 12. HP 3PAR Service Processor data transfer status

HP 3PAR Service Processor SSH port 22 menu

The user has the ability to log through the SSH port 22 into the HP 3PAR Service Processor. Data displayed via this login
media is done through a menu driven system. Status and control of above controls can be gained by selecting item 1 on the
menu and then selecting appropriate menus from there.

Frequently asked questions

Q. I am company XY Widget and I currently hold a CA, can I use my CA to communicate with HP 3PAR Central?
A. No, you cannot use your CA to communicate with HP 3PAR Central, the communication must use the signed HP Certificate
of Authority. Use HP 3PAR StoreServ tools to generate a CSR (certificate signing request)
Q. Can I turn the unneeded ports on the HP 3PAR StoreServ array off at the array?
A. At this point, the user can only either enable all ports to be encrypted or unencrypted. User cannot identify individual
ports to be turned off or on. However many ports are disabled if the associated service is unused (CIM, WSAPI, SNMP, etc.).
The CC environment causes certain ports to be firewalled so that they cannot be used from outside of the array.
Q. If I use the common criteria environment, can I still communicate via unencrypted ports?
A. No, all communications must be done via encryption, this is to include all applications and any management interface
traffic uses some form of encryption in the channel.
Q. Can I use my own signed Certificate of Authority within the data center for communication to the array?
A. Yes, any internal communication within the data center can use a users CA. The CA can be a signed CA by a verified
authority or can be self-generated using the HP 3PAR StoreServ CSR as outlined in earlier question.
Q. Can I change my secure service options once I have completed the Moment of Birth or do I need to rerun the Moment of
Birth again?
A. Yes, the user through the HP 3PAR Service Processor and the Service Processor Onsite Customer Care webpage can
make policy changes any time after Moment of Birth.
Q. How long is my data kept at HP 3PAR Central?
A. Data is constantly being refreshed on the STaTS database. Current retention period is approximately 30 days.
Q. Does HP still deploy modems on their storage arrays?
A. No, modem support was discontinued with the release of HP 3PAR Service Processor 4.1.0.

13

Technical white paper | HP 3PAR StoreServ Secure Service Architecture

Terminology
MCManagement Console
SPService Processor
VSPVirtual Service Processor
RAPRemote Access Protocol
STaTSService Tools and Technical Service
HP 3PAR OSOperating System for HP 3PAR StoreServ array
MOBMoment of Birth
HTTPSHypertext Transfer Protocol Service
SSASecure Service Architecture
SPOCCService Processor Onsite Customer Care
SSHSecure Shell
FTPFile Transfer Protocol
CACertificate of Authority
CSRCertificate Signing Request
NATNetwork Address Translation
SLPService Location Protocol
SSMCStoreServ Management Console
NTPNetwork Time Protocol
CCECommon Computing Evaluation
CCACustomer Control Access
TLSTransport Layer Security
SSLSecure Sockets Layer

Learn more at
hp.com/go/StoreServ

Sign up for updates

hp.com/go/getupdated

Share with colleagues

Rate this document

Copyright 2011, 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only
warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should
be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Microsoft is a U.S. registered trademark of the Microsoft group of companies. Linux is the registered trademark of Linus Torvalds in the U.S. and other
countries. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions.
4AA3-7592ENW, August 2014, Rev. 1