Home » HP Manuals » Storage Devices » HP StorageWorks 1606 » Manual Viewer

HP StorageWorks 1606 Brocade Fabric OS Administrator's Guide v6.3.0 (53-100133 - Page 193

Security associations, Authentication and encryption algorithms, IPsec proposal

View all HP StorageWorks 1606 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 193 highlights

Management interface security 7 Security associations A security association (SA) is the collection of security parameters and authenticated keys that are negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in the communication. All these parameters needed for the protection of the IP datagram are stored in a security association (SA). The security associations are in turn stored in a security association database (SADB). An IPsec security association is a construct that specifies security properties that are recognized by communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and authentication, and the expiration definitions used in security associations of the traffic. IKE uses these values in negotiations to create IPsec SAs. You must create an SA prior to creating an SA-proposal. You cannot modify an SA once it is created. Use the ipsecConfig --flush manual-sa command to remove all SA entries from the kernel SADB and re-create the SA. For more information on the ipSecConfig command, refer to the Fabric OS Command Reference. IPsec proposal The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP, and the encryption and authentication algorithms to use to protect the traffic. For SA bundles, [AH, ESP] is the supported combination. Authentication and encryption algorithms IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks. Authentication Header (AH) provides data integrity, data source authentication, and protection against replay attacks, but unlike ESP, AH does not provide confidentiality. In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP, 3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use Table 38 when configuring the authentication algorithm. TABLE 38 Algorithms and associated authentication policies Algorithm Encryption Level Policy Description hmac_md5 hmac_sha1 128-bit 160-bit AH, ESP AH, ESP A stronger MAC because it is a keyed hash inside a keyed hash. When MD5 or SHA-1 is used in the calculation of an HMAC; the resulting MAC algorithm is termed HMAC-MD5 or HMAC-SHA-1 accordingly. NOTE: The MD5 hash algorithm is blocked when FIPS mode is enabled Fabric OS Administrator's Guide 151 53-1001336-01

Section	Page
Contents	5
Figures	25
Tables	29
About This Document	33
In this chapter	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	36
Text formatting	36
Command syntax conventions	37
Notes, cautions, and warnings	37
Key terms	37
Notice to the reader	38
Additional information	38
Brocade resources	38
Other industry resources	38
Getting technical help	39
Document feedback	40
Performing Basic Configuration Tasks	43
In this chapter	43
Fabric OS overview	43
Fabric OS command line interface	44
Console sessions using the serial port	44
Telnet or SSH sessions	45
Getting help on a command	46
Password modification	47
Default account passwords	47
The Ethernet interface on your switch	48
Virtual Fabrics and the Ethernet interface	48
Displaying the network interface settings	48
Static Ethernet addresses	49
DHCP activation	50
IPv6 autoconfiguration	52
Date and time settings	53
Setting the date and time	53
Time zone settings	53
Network time protocol	55
Domain IDs	56
Displaying the domain IDs	56
Setting the domain ID	57
Switch names	57
Customizing the switch name	58
Chassis names	58
Customizing chassis names	58
Switch activation and deactivation	58
Disabling a switch	58
Enabling a switch	59
Switch and enterprise-class platform shutdown	59
Powering off a Brocade switch	59
Powering off a Brocade enterprise-class platform	59
Basic connections	60
Device connection	60
Switch connection	60
Performing Advanced Configuration Tasks	63
In this chapter	63
PIDs and PID binding overview	63
Core PID addressing mode	64
Fixed addressing mode	64
10-bit addressing mode	64
256-area addressing mode	65
WWN-based PID assignment	65
Ports	67
Setting port names	68
Port identification by slot and port number	68
Port identification by port area ID	69
Port identification by index	69
Swapping port area IDs	70
Port activation and deactivation	70
Setting port speeds	71
Setting the same speed for all ports on the switch	71
Blade terminology and compatibility	72
CP blades	73
Core blades	74
Port and application blade compatibility	74
Enabling and disabling blades	75
Enabling blades	75
Disabling blades	76
Blade swapping	76
Swapping blades	77
Swapping blades	79
Power conservation	79
Powering off a port blade	80
Powering on a port blade	80
Inter-chassis links	80
Supported topologies	81
Gateway links	82
Configuring a link through a gateway	83
Equipment status	83
Checking switch operation	83
Verifying High Availability features (directors and enterprise-class platforms only)	83
Verifying fabric connectivity	85
Verifying device connectivity	85
Track and control switch changes	85
Enabling the track changes feature	86
Displaying the status of the track changes feature	86
Viewing the switch status policy threshold values	86
Setting the switch status policy threshold values	87
Audit log configuration	88
Auditable event classes	89
Verifying host syslog prior to configuring the audit log	90
Configuring an audit log for specific event classes	90
High availability of daemon processes	91
Understanding Fibre Channel Services	93
In this chapter	93
Fibre Channel services overview	93
The Management Server	94
Platform services	94
Platform services in a Virtual Fabric	94
Enabling platform services	95
Disabling platform services	95
Management server database	95
Displaying the management server ACL	96
Adding a member to the ACL	96
Deleting a member from the ACL	97
Viewing the contents of the management server database	98
Clearing the management server database	99
Topology discovery	99
Displaying topology discovery status	99
Enabling topology discovery	99
Disabling topology discovery	99
Routing Traffic	101
About this chapter	101
Routing overview	101
Path versus route selection	101
FSPF	102
Fibre Channel NAT	102
Routing policies	103
Displaying the current routing policy	103
Exchange-based routing	104
Port-based routing	104
AP route policy	104
Routing in Virtual Fabrics	105
Route selection	106
Dynamic load sharing	106
Static route assignment	106
Frame order delivery	107
Forcing in-order frame delivery across topology changes	108
Restoring out-of-order frame delivery across topology changes	108
Lossless Dynamic Load Sharing on ports	108
Configuring lossless dynamic load sharing on ports	108
Lossless dynamic load sharing in Virtual Fabrics	108
Frame Redirection	109
Creating a frame redirect zone	110
Deleting a frame redirect zone	110
Viewing redirect zones	110
Managing User Accounts	111
In this chapter	111
User accounts overview	111
Role-Based Access Control (RBAC)	112
The management channel	115
Local database user accounts	116
Default accounts	116
Local account passwords	117
Local account database distribution	118
Distributing the local user database	118
Accepting distribution of user databases on the local switch	118
Rejecting distributed user databases on the local switch	119
Password policies	119
Password strength policy	119
Password history policy	120
Password expiration policy	121
Account lockout policy	121
The boot PROM password	123
Setting the boot PROM password for a switch with a recovery string	123
Setting the boot PROM password for a director with a recovery string	124
Setting the boot PROM password for a switch without a recovery string	125
Setting the boot PROM password for a director without a recovery string	126
The authentication model using RADIUS and LDAP	127
Setting the switch authentication mode	129
Fabric OS user accounts	129
Fabric OS users on the RADIUS server	130
The RADIUS server	133
LDAP configuration and Microsoft Active Directory	139
Authentication servers on the switch	142
Configuring local authentication as backup	143
Configuring Standard Security Features	145
In this chapter	145
Security protocols	145
Secure Copy	146
Setting up SCP for configUploads and downloads	147
Secure Shell protocol	147
SSH public key authentication	148
Secure Sockets Layer protocol	150
Browser and Java support	150
SSL configuration overview	150
Certificate authorities	151
The browser	153
Root certificates for the Java Plug-in	154
Simple Network Management Protocol	155
SNMP and Virtual Fabrics	156
The security level	156
The snmpConfig command	157
Telnet protocol	157
Blocking Telnet	157
Unblocking Telnet	158
Listener applications	159
Ports and applications used by switches	159
Port configuration	160
Configuring Advanced Security Features	161
In this chapter	161
ACL policies overview	161
How the ACL policies are stored	161
Policy members	162
ACL policy management	162
Displaying ACL policies	163
Saving changes without activating the policies	163
Activating policy changes	163
Deleting an ACL policy	163
Adding a member to an existing ACL policy	164
Removing a member from an ACL policy	164
Aborting unsaved policy changes	164
FCS policies	165
FCS policy restrictions	165
Ensuring fabric domains share policies	166
Creating an FCS policy	166
Modifying the order of FCS switches	167
FCS policy distribution	167
DCC policies	168
DCC policy restrictions	169
Creating a DCC policy	169
Deleting a DCC policy	170
SCC policies	171
Creating an SCC policy	171
Authentication policy for fabric elements	172
E_Port authentication	173
Device authentication policy	174
AUTH policy restrictions	175
Authentication protocols	175
Secret key pairs	177
Fabric-wide distribution of the Auth policy	178
IP Filter policy	179
Creating an IP Filter policy	179
Cloning an IP Filter policy	179
Displaying an IP Filter policy	179
Saving an IP Filter policy	180
Activating an IP Filter policy	180
Deleting an IP Filter policy	180
IP Filter policy rules	180
IP Filter policy enforcement	182
Adding a rule to an IP Filter policy	183
Deleting a rule to an IP Filter policy	183
Aborting an IP Filter transaction	183
IP Filter policy distribution	183
Policy database distribution	184
Database distribution settings	185
ACL policy distribution to other switches	186
Fabric-wide enforcement	186
Notes on joining a switch to the fabric	188
Management interface security	190
Configuration examples	191
IPsec protocols	192
Security associations	193
Authentication and encryption algorithms	193
IPsec policies	194
IKE policies	194
Creating the tunnel	196
Example of an End-to-End Transport Tunnel mode	197
Maintaining the Switch Configuration File	201
In this chapter	201
Configuration settings	201
Configuration file format	202
Configuration file backup	204
Uploading a configuration file in interactive mode	205
Configuration file restoration	205
Restrictions	206
Configuration download without disabling a switch	207
Configuration restoration in a FICON environment	209
Configurations across a fabric	210
Downloading a configuration file from one switch to another same model switch	210
Security considerations	211
Configuration Management for Virtual Fabrics	211
Uploading a config file from a switch with Virtual Fabrics enabled	211
Restoring a logical switch using configDownload	212
Restrictions	213
Brocade configuration form	213
Installing and Maintaining Firmware	215
In this chapter	215
Firmware download process overview	215
Upgrading and downgrading firmware	216
Considerations for FICON CUP environments	217
HA sync state	217
Preparing for a firmware download	218
Connected switches	219
Finding the switch firmware version	219
Obtain and decompress firmware	219
Firmware download on switches	220
Switch firmware download process overview	220
Firmware download on an enterprise-class platform	222
Enterprise-class platform firmware download process overview	222
Firmware download from a USB device	226
Enabling USB	226
Viewing the USB file system	226
Downloading from USB using the relative path	226
Downloading from USB using the absolute path	226
SAS and SA applications	227
Downloading an application	227
FIPS Support	228
Public and Private Key Management	228
The firmwareDownload Command	229
Power-on Firmware Checksum Test	230
Test and restore firmware on switches	230
Testing a different firmware version on a switch	230
Test and restore firmware on enterprise-class platforms	232
Testing different firmware versions on enterprise-class platforms	232
Validating a firmware download	235
Managing Virtual Fabrics	237
In this chapter	237
Virtual Fabrics overview	237
Logical switch overview	238
Default logical switch	238
Logical switches and fabric IDs	240
Port assignment in logical switches	240
Logical switches and connected devices	241
Logical fabric overview	242
Logical fabric and ISLs	243
Logical fabric and ISL sharing	244
Management model for logical switches	247
Account management and Virtual Fabrics	248
Supported platforms for Virtual Fabrics	248
Supported port configurations in the Brocade 5100 and 5300	248
Supported port configurations in the Brocade DCX and DCX-4S	248
Virtual Fabrics interaction with other Fabric OS features	249
Limitations and restrictions of Virtual Fabrics	250
Restrictions on moving ports	251
Enabling Virtual Fabrics	251
Disabling Virtual Fabrics	252
Configuring logical switches to use basic configuration values	253
Creating a logical switch or base switch	253
Executing a command in a different logical fabric context	255
Deleting a logical switch	256
Adding and removing ports on a logical switch	256
Displaying logical switch configuration	257
Changing the fabric ID of a logical switch	258
Changing a logical switch to a base switch	259
Configuring a logical switch to use XISLs	260
Changing the context to a different logical fabric	261
Creating a logical fabric using XISLs	261
Administering Advanced Zoning	263
In this chapter	263
Special zones	263
Zoning overview	264
Zone types	265
Zone objects	266
Zone aliases	267
Zone configurations	268
Zoning enforcement	268
Considerations for zoning architecture	269
Best practices for zoning	270
Broadcast zones	270
Broadcast zones and Admin Domains	271
Broadcast zones and FC-FC routing	272
High availability considerations with broadcast zones	272
Loop devices and broadcast zones	272
Broadcast zones and default zoning	272
Zone aliases	273
Creating an alias	273
Adding members to an alias	273
Removing members from an alias	274
Deleting an alias	274
Viewing an alias in the defined configuration	275
Zone creation and maintenance	275
Creating a zone	275
Adding devices (members) to a zone	276
Removing devices (members) from a zone	276
Deleting a zone	277
Viewing a zone in the defined configuration	277
Validating a zone	277
Default zoning mode	278
Setting the default zoning mode	279
Viewing the current default zone access mode	279
Zoning database size	280
Zoning configurations	280
Creating a zoning configuration	280
Adding zones (members) to a zoning configuration	281
Removing zones (members) from a zone configuration	281
Enabling a zone configuration	282
Disabling a zone configuration	282
Deleting a zone configuration	283
Clearing changes to a configuration	283
Viewing all zone configuration information	283
Viewing selected zone configuration information	284
Viewing the configuration in the effective zone database	284
Clearing all zone configurations	285
Zone object maintenance	285
Copying a zone object	285
Deleting a zone object	286
Renaming a zone object	287
Zoning configuration management	287
New switch or fabric additions	287
Fabric segmentation and zoning	289
Security and zoning	289
Zone merging scenarios	290
Managing iSCSI Gateway Service	293
In this chapter	293
iSCSI gateway service overview	293
iSCSI session translation	294
Basic and advanced LUN mapping	295
iSCSI component identification of the IQN prefix	296
Access control with discovery domains	297
Switch-to-iSCSI initiator authentication	298
Load balancing through connection redirection	298
Supported iSCSI initiators	300
Checklist for configuring iSCSI	300
FC4-16IP blade configuration	302
FC4-16IP port numbering	302
Enabling the iSCSI gateway service	303
Enabling GbE ports	304
Configuring the GbE interface	305
iSCSI virtual target configuration	306
Automatic iSCSI VT creation	307
Manual iSCSI VT creation	309
Displaying the iSCSI virtual target LUN map	312
Displaying iSCSI VT state and status	313
Discovery domain and domain set configuration	313
Displaying iSCSI initiator IQNs	314
Creating discovery domains	314
Creating and enabling a discovery domain set	314
iSCSI initiator-to-VT authentication configuration	315
Setting the user name and shared secret	315
Binding user names to an iSCSI VT	315
Deleting user names from an iSCSI VT binding list	316
Displaying CHAP configurations	316
Committing the iSCSI-related configuration	316
Resolving conflicts between iSCSI configurations	317
LUN masking considerations	318
iSCSI FC zoning overview	318
iSCSI FC zone creation	319
Zoning configuration creation	323
Creating and enabling a zoning configuration	323
iSNS client service configuration	324
Displaying iSNS client service status	325
Enabling the iSNS client service	325
Disabling the iSNS client service	326
Clearing the iSNS client configuration	326
Administering NPIV	327
In this chapter	327
NPIV overview	327
Fixed addressing mode	327
10-Bit addressing mode	327
Enabling and disabling NPIV	328
Configuring NPIV	328
Viewing NPIV port configuration information	329
Viewing virtual PID login information	331
Interoperability for Merged SANs	333
In this chapter	333
Interoperability overview	333
Connectivity solutions	334
Domain ID offset modes	335
Configuring the Domain_ID offset	336
McDATA Fabric mode configuration restrictions	336
McDATA Open Fabric mode configuration restrictions	337
Interoperability support for logical switches	338
Switch configurations for interoperability	338
Enabling McDATA Open Fabric mode	339
Enabling McDATA Fabric mode	339
Enabling Brocade Native mode	340
Zone management in interoperable fabrics	341
Zoning restrictions	341
Zone name restrictions	342
Zoning modes	342
Setting the safe zone mode on a stand-alone switch	343
Setting the safe zone mode fabric-wide	343
Disabling safe zone mode	343
Effective zone configuration	343
Saving the effective zone configuration to the Defined Database	344
Frame Redirection in interoperable fabrics	344
Traffic Isolation zones in interoperable fabrics	345
Brocade SANtegrity implementation in mixed fabric SANS	345
Fabric OS Layer 2 Fabric Binding	346
E_Port authentication between Fabric OS and M-EOS switches	346
Switch authentication policy	348
Dumb switch authentication	351
Authentication of EX_Port, VE_Port, and VEX_Port connections	352
Authentication of VE_Port-to-VE_Port connections	353
Authentication of VEX_Port-to-VE_Port connections	356
Authentication of VEX_Port-to-VEX_Port connections	357
FCR SANtegrity	357
Fabric Binding behavior in a mixed fabric	358
Configuring the preferred domain ID and the insistent domain ID	358
FICON implementation in a mixed fabric	359
Fabric OS version change restrictions in an interoperable environment	359
Coordinated Hot Code Load	360
Bypassing the Coordinated HCL check on firmware download	360
Coordinated HCL on switches firmware downloads	361
Upgrade and downgrade considerations for HCL for interoperability	361
McDATA-aware features	361
McDATA-unaware features	362
M-EOS feature limitations in mixed fabrics	364
Supported hardware in an interoperable environment	365
Supported features in an interoperable environment	368
Unsupported features in an interoperable environment	370
Managing Administrative Domains	371
In this chapter	371
Administrative Domains overview	371
Admin Domain features	373
Requirements for Admin Domains	373
Admin Domain access levels	374
User-defined Administrative Domains	374
System-defined Administrative Domains	374

Match case Limit results 1 per page

Fabric OS Administrator’s Guide

151

53-1001336-01

Management interface security

Security associations

A security association (SA) is the collection of security parameters and authenticated keys that are

negotiated between IPsec peers. For the peers to be able to encapsulate and decapsulate the

IPsec packets, they need a way to store the secret keys, algorithms, and IP addresses involved in

the communication. All these parameters needed for the protection of the IP datagram are stored

in a security association (SA). The security associations are in turn stored in a security association

database (SADB).

An IPsec security association is a construct that specifies security properties that are recognized by

communicating hosts. The properties of the SA are the security protocol (AH or ESP), destination IP

address, and Security Parameter Index (SPI) number. SPI is an arbitrary 32-bit value contained in

IPsec protocol headers (AH or ESP) and an IPsec SA is unidirectional. Because most

communication is peer-to-peer or client-to-server, two SAs must be present to secure traffic in both

directions. An SA specifies the IPsec protocol (AH or ESP), the algorithms used for encryption and

authentication, and the expiration definitions used in security associations of the traffic. IKE uses

these values in negotiations to create IPsec SAs. You must create an SA prior to creating an

SA-proposal. You cannot modify an SA once it is created. Use the

ipsecConfig

flush manual-sa

command to remove all SA entries from the kernel SADB and re-create the SA. For more

information on the

ipSecConfig

command, refer to the

Fabric OS Command Reference

IPsec proposal

The IPsec sa-proposal defines an SA or an SA bundle. An SA is a set of parameters that define how

the traffic is protected using IPsec. These are the IPsec protocols to use for an SA, either AH or ESP,

and the encryption and authentication algorithms to use to protect the traffic. For SA bundles,

[AH, ESP] is the supported combination.

Authentication and encryption algorithms

IPsec uses different protocols to ensure the authentication, integrity, and confidentiality of the

communication. Encapsulating Security Payload (ESP) provides confidentiality, data integrity and

data source authentication of IP packets, and protection against replay attacks. Authentication

Header (AH) provides data integrity, data source authentication, and protection against replay

attacks, but unlike ESP, AH does not provide confidentiality.

In AH and ESP, hmac_md5 and hmac_sha1 are used as authentication algorithms. Only in ESP,

3des_cbc, blowfish_cbc, aes256_cbc and null_enc are used as encryption algorithms. Use

Table 38

when configuring the authentication algorithm.

TABLE 38

Algorithms and associated authentication policies

Algorithm

Encryption Level

Policy

Description

hmac_md5

128-bit

AH, ESP

A stronger MAC because it is a keyed

hash inside a keyed hash. When MD5

or SHA-1 is used in the calculation of

an HMAC; the resulting MAC algorithm

is termed HMAC-MD5 or HMAC-SHA-1

accordingly.

NOTE:

The MD5 hash algorithm is

blocked when FIPS mode is

enabled

hmac_sha1

160-bit

AH, ESP