Home » Dell Manuals » Hubs & Switches » Dell PowerConnect Brocade 300 » Manual Viewer

Dell PowerConnect Brocade 300 Fabric OS Administrator's Guide v7.1.0 - Page 207

Creating an SCC policy, Authentication policy for fabric elements

View all Dell PowerConnect Brocade 300 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 207 highlights

Authentication policy for fabric elements 7 Creating an SCC policy 1. Connect to the switch and log in using an account with admin permissions, or an account with OM permissions for the Security RBAC class of commands. 2. Enter the secPolicyCreate "SCC_POLICY" command. 3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. Example of creating an SCC policy For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join the fabric: switch:admin> secpolicycreate "SCC_POLICY", "2;4" SCC_POLICY has been created switch:admin> secpolicysave Authentication policy for fabric elements By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication, unless ports are configured for in-flight encryption, in which case authentication defaults to DH-CHAP if both switches are configured to accept the DH-CHAP protocol in authentication. To use FCAP on both switches, PKI certificates have to be installed. NOTE The fabric authentication feature is available in base Fabric OS. No license is required. FCAP requires the exchange of certificates between two or more switches to authenticate to each other before they form or join a fabric. Beginning with Fabric OS v7.0.0, these certificates are no longer issued by Brocade, but by a third-party which is now the root CA for all of the issued certificates. You can use Brocade and third-party certificates between switches that are Fabric OS v6.4.0, but only Brocade-issued certificates (where Brocade is the root CA) for Fabric OS versions earlier than v6.4.0. The certificates must be in PEM (Privacy Enhanced Mail) encoded format for both root and peer certificates. The switch certificates issued from the third-party vendors can be directly issued from the root CA or from an intermediate CA authority. When you configure DH-CHAP authentication, you also must define a pair of shared secrets known to both switches as a secret key pair. Figure 13 illustrates how the secrets are configured. A secret key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every switch can share a secret key pair with any other switch or host in a fabric. To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more information on setting up secret key pairs, refer to "Setting a secret key pair" on page 214. When configured, the secret key pair is used for authentication. Authentication occurs whenever there is a state change for the switch or port. The state change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy. Fabric OS Administrator's Guide 207 53-1002745-02

Section	Page
Contents (High Level)	3
Contents	5
Figures	25
Tables	29
About This Document	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	36
Notice to the reader	37
Additional information	38
Getting technical help	38
Document feedback	40
Understanding Fibre Channel Services	43
Fibre Channel services overview	43
Management server	44
Platform services	44
Platform services and Virtual Fabrics	45
Enabling platform services	45
Disabling platform services	45
Management server database	45
Displaying the management server ACL	46
Adding a member to the ACL	46
Deleting a member from the ACL	47
Viewing the contents of the management server database	48
Clearing the management server database	49
Topology discovery	49
Displaying topology discovery status	49
Enabling topology discovery	49
Disabling topology discovery	50
Device login	51
Principal switch	51
E_Port login process	51
Fabric login process	52
Port login process	52
RSCNs	52
Duplicate Port World Wide Name	53
Device recovery	53
High availability of daemon processes	53
Performing Basic Configuration Tasks	55
Fabric OS overview	55
Fabric OS command line interface	56
Notes	56
Console sessions using the serial port	56
Connecting to Fabric OS through the serial port	56
Telnet or SSH sessions	57
Rules for Telnet connections	57
Connecting to Fabric OS using Telnet	58
Getting help on a command	58
Viewing a history of command line entries	59
Password modification	61
Default account passwords	61
Changing the default account passwords at login	62
The switch Ethernet interface	62
Brocade Backbones	62
Brocade switches	62
Virtual Fabrics and the Ethernet interface	63
Displaying the network interface settings	63
Static Ethernet addresses	64
Setting the static addresses for the Ethernet network interface	65
Setting the static addresses for the chassis management IP interface	65
DHCP activation	66
Enabling DHCP for IPv4	66
Disabling DHCP for IPv4	67
IPv6 autoconfiguration	68
Setting IPv6 autoconfiguration	68
Date and time settings	69
Setting the date and time	69
Time zone settings	69
Setting the time zone	70
Setting the time zone interactively	71
Network time protocol	71
Synchronizing the local time with an external source	71
Domain IDs	72
Domain ID issues	72
Displaying the domain IDs	73
Setting the domain ID	74
Switch names	74
Restrictions	74
Customizing the switch name	74
Chassis names	75
Customizing chassis names	75
Fabric name	75
Configuring the fabric name	75
High availability considerations for fabric names	76
Upgrade and downgrade considerations for fabric names	76
Config file upload and download considerations for fabric names	76
Switch activation and deactivation	76
Disabling a switch	76
Enabling a switch	76
Switch and Backbone shutdown	76
Powering off a Brocade switch	77
Powering off a Brocade Backbone	77
Basic connections	78
Device connection	78
Switch connection	78
Performing Advanced Configuration Tasks	79
Port Identifiers (PIDs) and PID binding overview	79
Core PID addressing mode	80
Fixed addressing mode	80
10-bit addressing mode	80
256-area addressing mode	81
WWN-based PID assignment	82
Virtual Fabrics considerations for WWN-based PID assignment	82
NPIV	82
Enabling automatic PID assignment	82
Assigning a static PID	83
Clearing PID binding	83
Showing PID assignments	83
Ports	84
Port Types	84
Backbone port blades	84
Configuring two Ethernet ports on one CP8 blade	85
Upgrade and Downgrade considerations	86
Supported devices	86
Setting up the second Ethernet port on a CP8 blade	86
Setting port names	86
Port identification by slot and port number	87
Port identification by port area ID	87
Port identification by index	87
Configuring a device-switch connection	88
Swapping port area IDs	88
Port activation and deactivation	89
Enabling a port	89
Disabling a port	90
Port decommissioning	90
Setting port modes	90
Setting port speeds	92
Setting all ports on a switch to the same speed	92
Setting port speed for a port octet	93
Blade terminology and compatibility	93
CP blades	95
Core blades	95
Port and application blade compatibility	96
FX8-24 compatibility notes	96
Enabling and disabling blades	96
Enabling blades	97
FC8-48, FC8-48E, FC8-64, and FC16-48 port blade enabling exceptions	97
Disabling blades	97
Blade swapping	97
How blades are swapped	98
Swapping blades	100
Enabling and disabling switches	100
Power management	101
Powering off a port blade	102
Powering on a port blade	102
Equipment status	102
Checking switch operation	102
Verifying High Availability features (Backbones only)	103
Verifying fabric connectivity	103
Verifying device connectivity	104
Track and control switch changes	104
Enabling the track changes feature	104
Displaying the status of the track changes feature	105
Viewing the switch status policy threshold values	105
Setting the switch status policy threshold values	106
Audit log configuration	107
Verifying host syslog prior to configuring the audit log	108
Configuring an audit log for specific event classes	108
Duplicate PWWN handling during device login	109
Setting the behavior for handling duplicate PWWNs	110
Routing Traffic	111
Routing overview	111
Paths and route selection	112
FSPF	112
Fibre Channel NAT	113
Inter-switch links	114
Buffer credits	115
Congestions versus over-subscription	115
Virtual channels	115
Gateway links	117
Configuring a link through a gateway	118
Routing policies	118
Displaying the current routing policy	119
Port-based routing	119
Exchange-based routing	119
Device-based routing	120
AP route policies	120
Routing in Virtual Fabrics	120
Setting the routing policy	121
Setting up the AP route policy	121
Route selection	122
Dynamic Load Sharing	122
Setting DLS	122
Frame order delivery	123
Forcing in-order frame delivery across topology changes	123
Restoring out-of-order frame delivery across topology changes	123
Using Frame Viewer to understand why frames are dropped	124
Notes	124
Filtering Results by Back-End Port in Frame Viewer	124
Lossless Dynamic Load Sharing on ports	125
Lossless core	126
ICL limitations	127
Traffic flow limitations	127
Configuring Lossless Dynamic Load Sharing	127
Lossless Dynamic Load Sharing in Virtual Fabrics	127
How DLS affects other logical switches in the fabric	127
Enabling forward error correction (FEC)	128
Limitations	128
Enabling forward error correction	129
Disabling forward error correction	129
Enabling and Disabling FEC for long distance ports	129
Viewing current FEC settings	129
Frame Redirection	130
Creating a frame redirect zone	130
Deleting a frame redirect zone	131
Viewing frame redirect zones	131
Managing User Accounts	133
User accounts overview	133
Role-Based Access Control	134
Admin Domain considerations	135
Role permissions	135
The management channel	136
Managing user-defined roles	136
Creating a user-defined role	136
Assigning a user-defined role to a user	137
Local database user accounts	137
Default accounts	138
Displaying account information	138
Creating an account	138
Deleting an account	139
Changing account parameters	139
Local account passwords	139
Changing the password for the current login account	139
Changing the password for a different account	140
Local user account database distribution	140
Distributing the local user database	140
Accepting distributed user databases on the local switch	140
Rejecting distributed user databases on the local switch	141
Password policies	141
Password strength policy	141
Password history policy	142
Password expiration policy	143
Account lockout policy	143
Enabling the admin lockout policy	144
Unlocking an account	144
Disabling the admin lockout policy	144
Denial of service implications	145
The boot PROM password	145
Setting the boot PROM password for a switch with a recovery string	145
Setting the boot PROM password for a Backbone with a recovery string	146
Setting the boot PROM password for a switch without a recovery string	147
Setting the boot PROM password for a Backbone without a recovery string	148
Remote authentication	149
Remote Authentication Configuration	149
Client/server model	149
Authentication server data	150
Switch configuration	150
Supported LDAP options	151
Command options	151
Setting the switch authentication mode	152
Fabric OS user accounts	152
Fabric OS users on the RADIUS server	154
Windows 2000 IAS	154
RADIUS configuration with Admin Domains or Virtual Fabrics	155
Setting up a RADIUS server	156
Configuring RADIUS server support with Linux	156
Configuring RADIUS server support with Windows 2000	158
RSA RADIUS server	160
LDAP configuration and Microsoft Active Directory	162
Configuring Microsoft Active Directory LDAP service	163
Creating a user	164
Creating a group	164
Assigning the group (role) to the user	164
Adding an Admin Domain or Virtual Fabric list	164
Adding attributes to the Active Directory schema	165
LDAP configuration and OpenLDAP	165
OpenLDAP server configuration overview	166
Enabling group membership	166
Adding entries to the directory	167
Assigning a user to a group	168
Assigning the LDAP role to a switch role	168
Modifying an entry	168
Adding an Admin Domain or Virtual Fabric list	169
TACACS+ service	171
TACACS+ configuration overview	171
Configuring the TACACS+ server on LINUX	172
The tac_plus.cfg file	172
Configuring a Windows TACACS+ server	174
Remote authentication configuration on the switch	174
Adding an authentication server to the switch configuration	175
Enabling and disabling remote authentication	175
Deleting an authentication server from the configuration	175
Changing an authentication server configuration	175
Changing the order in which authentication servers are contacted for service	175
Displaying the current authentication configuration	176
Configuring local authentication as backup	176
Configuring Protocols	177
Security protocols	177
Secure Copy	178
Setting up SCP for configuration uploads and downloads	179
Secure Shell protocol	179
SSH public key authentication	180
Allowed-user	180
Configuring incoming SSH authentication	180
Configuring outgoing SSH authentication	181
Deleting public keys on the switch	182
Deleting private keys on the switch	182
Secure Sockets Layer protocol	182
Browser and Java support	182
SSL configuration overview	183
Certificate authorities	183
Generating a public-private key pair	183
Generating and storing a Certificate Signing Request	184
Obtaining certificates	185
Installing a switch certificate	185
The browser	186
Checking and installing root certificates on Internet Explorer	186
Checking and installing root certificates on Mozilla Firefox	187
Root certificates for the Java plugin	187
Installing a root certificate to the Java plugin	187
Simple Network Management Protocol	188
SNMP and Virtual Fabrics	189
Filtering ports	189
Switch and chassis context enforcement	189
SNMP security levels	190
SNMP configuration	190
Telnet protocol	190
Blocking Telnet	190
Unblocking Telnet	191
Listener applications	192
Ports and applications used by switches	192
Port configuration	193
Configuring Security Policies	195
ACL policies overview	195
How the ACL policies are stored	195
Policy members	196
ACL policy management	196
Displaying ACL policies	197
Saving changes without activating the policies	197
Activating ACL policy changes	197
Deleting an ACL policy	197
Adding a member to an existing ACL policy	198
Removing a member from an ACL policy	198
Abandoning unsaved ACL policy changes	198
FCS policies	199
FCS policy restrictions	199
Ensuring fabric domains share policies	200
Creating an FCS policy	201
Modifying the order of FCS switches	201
FCS policy distribution	202
Device Connection Control policies	203
DCC policy restrictions	203
Creating a DCC policy	204
Deleting a DCC policy	205
DCC policy behavior with Fabric-Assigned PWWNs	205
SCC Policies	206
Creating an SCC policy	207
Authentication policy for fabric elements	207
E_Port authentication	208
Configuring E_Port authentication	209
Re-authenticating E_Ports	210
Device authentication policy	210
Configuring device authentication	211
AUTH policy restrictions	211
Authentication protocols	212
Viewing the current authentication parameter settings for a switch	212
Setting the authentication protocol	212
Secret key pairs for DH-CHAP	213
Viewing the list of secret key pairs in the current switch database	213
Setting a secret key pair	214
FCAP configuration overview	215
Generating the key and CSR for FCAP	215
Exporting the CSR for FCAP	216
Importing CA for FCAP	216
Importing the FCAP switch certificate	216
Starting FCAP authentication	217
Fabric-wide distribution of the authorization policy	217
IP Filter policy	217
Creating an IP Filter policy	218
Cloning an IP Filter policy	218
Displaying an IP Filter policy	218
Saving an IP Filter policy	218
Activating an IP Filter policy	219
Deleting an IP Filter policy	219
IP Filter policy rules	219
Source address	220
Destination port	220
Protocol	221
Action	221
Traffic type and destination IP	222
Implicit filter rules	222
Default policy rules	222
IP Filter policy enforcement	223
Adding a rule to an IP Filter policy	223
Deleting a rule from an IP Filter policy	223
Aborting an IP Filter transaction	223
IP Filter policy distribution	224
Managing filter thresholds	224
Policy database distribution	224
Database distribution settings	225
Displaying the database distribution settings	226
Enabling local switch protection	226
Disabling local switch protection	226
ACL policy distribution to other switches	227
Distributing the local ACL policies	227
Fabric-wide enforcement	227
Displaying the fabric-wide consistency policy	228
Setting the fabric-wide consistency policy	228
Notes on joining a switch to the fabric	229
Matching fabric-wide consistency policies	229
Non-matching fabric-wide consistency policies	230
Management interface security	231
Configuration examples	231
Endpoint-to-endpoint transport or tunnel	231
Gateway-to-gateway tunnel	232
Endpoint-to-gateway tunnel	232
RoadWarrior configuration	233
IP sec protocols	233
Security associations	233
IP sec proposal	234
Authentication and encryption algorithms	234
IP sec policies	234
IP sec traffic selector	235
IP sec transform	235
IKE policies	235
Key management	235
Pre-shared keys	235
Security certificates	236
Static Security Associations	236
Creating the tunnel	236
Example of an end-to-end transport tunnel mode	238
Notes	240
Maintaining the Switch Configuration File	241
Configuration settings	241
Configuration file format	242
Chassis section	243
Switch section	244
Configuration file backup	244
Uploading a configuration file in interactive mode	245
Configuration file restoration	246
Restrictions	246
Configuration download without disabling a switch	248
Restoring a configuration	248
Configurations across a fabric	250
Downloading a configuration file from one switch to another switch of the same model	250
Security considerations	250
Configuration management for Virtual Fabrics	250
Uploading a configuration file from a switch with Virtual Fabrics enabled	251
Restoring a logical switch configuration using configDownload	251
Restrictions	252
Brocade configuration form	253
Installing and Maintaining Firmware	255
Firmware download process overview	255
Upgrading and downgrading firmware	257
Passwordless firmware download	257
Considerations for FICON CUP environments	257
HA sync state	257
Preparing for a firmware download	258
Obtaining and decompressing firmware	259
Connected switches	259
Finding the switch firmware version	259
Firmware download on switches	260
Switch firmware download process overview	260
Upgrading firmware for Brocade fixed-port switches	261
Firmware download on a Backbone	262
Backbone firmware download process overview	262
Upgrading firmware on Backbones (including blades)	263
Firmware download from a USB device	265
Enabling the USB device	265
Viewing the USB file system	265
Downloading from the USB device using the relative path	266
Downloading from the USB device using the absolute path	266
FIPS support	266
Public and private key management	266
Updating the firmware key	267
The firmwareDownload command	267
Configuring a switch for signed firmware	267
Power-on firmware checksum test	268
Testing and restoring firmware on switches	268
Testing a different firmware version on a switch	268
Testing and restoring firmware on Backbones	270
Testing different firmware versions on Backbones	270
Validating a firmware download	273
Managing Virtual Fabrics	275
Virtual Fabrics overview	275
Logical switch overview	276
Default logical switch	276
Logical switches and fabric IDs	277
Port assignment in logical switches	278
Logical switches and connected devices	279
Management model for logical switches	281
Logical fabric overview	281
Logical fabric and ISLs	282
Base switch and extended ISLs	283
Base fabric	285
Logical ports	285
Logical fabric formation	285
Account management and Virtual Fabrics	286
Supported platforms for Virtual Fabrics	286
Supported port configurations in the fixed-port switches	286
Restrictions on fixed-port switches	286
Supported port configurations in Brocade Backbones	287
Restrictions on Brocade Backbones	287
Virtual Fabrics interaction with other Fabric OS features	288
Limitations and restrictions of Virtual Fabrics	288
Restrictions on XISLs	289
Restrictions on moving ports	289
Enabling Virtual Fabrics mode	290
Disabling Virtual Fabrics mode	290

Match case Limit results 1 per page

Fabric OS Administrator’s Guide

207

53-1002745-02

Authentication policy for fabric elements

Creating an SCC policy

Connect to the switch and log in using an account with admin permissions, or an account with

OM permissions for the Security RBAC class of commands.

Enter the

secPolicyCreate “SCC_POLICY”

command.

Save or activate the new policy by entering either the

secPolicySave

or the

secPolicyActivate

command.

If neither of these commands is entered, the changes are lost when the session is logged out.

Example of creating an SCC policy

For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join

the fabric:

switch:admin>

secpolicycreate "SCC_POLICY", "2;4"

SCC_POLICY has been created

switch:admin>

secpolicysave

Authentication policy for fabric elements

By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication

Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication. These

protocols use shared secrets and digital certificates, based on switch WWN and public key

infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to

FCAP if both switches are configured to accept FCAP protocol in authentication, unless ports are

configured for in-flight encryption, in which case authentication defaults to DH-CHAP if both

switches are configured to accept the DH-CHAP protocol in authentication. To use FCAP on both

switches, PKI certificates have to be installed.

NOTE

The fabric authentication feature is available in base Fabric OS. No license is required.

FCAP requires the exchange of certificates between two or more switches to authenticate to each

other before they form or join a fabric. Beginning with Fabric OS v7.0.0, these certificates are no

longer issued by Brocade, but

by a third-party which is now the root CA for all of the issued

certificates. You can use Brocade and third-party certificates between switches that are Fabric OS

v6.4.0, but only Brocade-issued certificates (where Brocade is the root CA) for Fabric OS versions

earlier than v6.4.0. The certificates must be in PEM (Privacy Enhanced Mail) encoded format for

both root and peer certificates. The switch certificates issued from the third-party vendors can be

directly issued from the root CA or from an intermediate CA authority.

When you configure DH-CHAP authentication, you also must define a

pair of shared secrets

known

to both switches as a

secret key pair

Figure 13

illustrates how the secrets are configured. A

secret

key pair

consists of a local secret and a peer secret. The local secret uniquely identifies the local

switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every

switch can share a

secret key pair

with any other switch or host in a fabric.

To use DH-CHAP authentication, a

secret key pair

has to be configured on both switches. For more

information on setting up secret key pairs, refer to

“Setting a secret key pair”

on page 214.

When configured, the

secret key pair

is used for authentication. Authentication occurs whenever

there is a state change for the switch or port. The state change can be due to a switch reboot, a

switch or port disable and enable, or the activation of a policy.