Home » HP Manuals » Storage Devices » HP StorageWorks 1606 » Manual Viewer

HP StorageWorks 1606 Brocade Web Tools Administrator's Guide v6.3.0 (53-100134 - Page 291

Internet Key Exchange (IKE) Concepts, Encryption algorithms, Hash algorithms

View all HP StorageWorks 1606 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 291 highlights

IPSec Concepts 17 Internet Key Exchange (IKE) Concepts Key exchange is used to authenticate the end points of an IP connection, and to determine security policies for IP traffic over the connection. The initiating node proposes a policy based on the following: • An encryption algorithm to protect data. • A hash algorithm to check the integrity of the authentication data. • A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for additional cryptographic strength. • An authentication method requiring a digital signature, and optionally a certificate exchange. • A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret key. Encryption algorithms An encryption algorithm is used to encrypt messages used in the IKE negotiation. Table 20 lists the available encryption algorithms. A brief description is provided. If you need further information, please refer to the RFC. TABLE 20 Encryption algorithm options Encryption Algorithm Description RFC Number 3des_cbc null_enc aes128_cbc aes256_cbc 3DES processes each block three times, using RFC 2451 a unique 56-bit key each time. No encryption is performed. Advanced Encryption Standard (AES) 128 bit block cipher. RFC 4869 Advanced Encryption Standard (AES) 256 bit block cipher. RFC 4869 Hash algorithms Hash message authentication codes (HMAC) check data integrity through a mathematical calculation on a message using a hash algorithm combined with a shared, secret key. The sending computer uses the hash function and shared key to compute a checksum or code for the message, and sends it to the receiving computer. The receiving computer must perform the same hash function on the received message and shared key and compare the result. If the hash values are different, it indicates that a third party may have tampered with the message in transit, and the packet is rejected. TABLE 21 Hash algorithm options Hash Algorithm Description RFC/Publication Number aes_xcbc hmac_md5 hmac_sha1 Uses a cypher block and extended cypher block RFC 3566 chaining (CBC). The MD5 computation produces a 128-bit hash. RFC 1321 The SHA1 computation produces a 160-bit hash. FIPS Pub 180-1 Web Tools Administrator's Guide 259 53-1001343-01

Section	Page
Contents	5
Figures	17
Tables	23
About This Document	25
In this chapter	25
How this document is organized	25
Supported hardware and software	26
What’s new in this document	27
Document conventions	28
Text formatting	28
Notes, cautions, and warnings	28
Key terms	29
Notice to the reader	29
Additional information	29
Brocade resources	29
Other industry resources	30
Getting technical help	30
Document feedback	31
Introducing Web Tools	33
In this chapter	33
Web Tools overview	33
Web Tools, the EGM license, and DCFM	33
Web Tools features enabled by the EGM license	34
Web Tools functionality moved to DCFM	35
System requirements	36
Setting refresh frequency for Internet Explorer	37
Deleting temporary internet files used by Java applications	38
Java installation on the workstation	39
Installing the JRE on your Solaris or Linux client workstation	39
Installing patches on Solaris	39
Installing the Java plug-in on Windows	40
Java plug-in configuration	40
Configuring the Java plug-in for Windows	40
Configuring the Java plug-in for Mozilla family browsers	41
Value line licenses	42
Opening Web Tools	43
Logging in	44
Logging out	48
Role-Based Access Control	48
Session management	49
Ending a Web Tools session	49
Requirements for IPv6 support	50
Using the Web Tools Interface	51
In this chapter	51
Viewing Switch Explorer	51
Changes for consistency with DCFM	54
Tasks	56
Fabric Tree	57
Changing the Admin Domain context	57
Switch View buttons	60
Switch View	60
Switch Events and Switch Information	64
Free Professional Management Tool	65
Displaying tool tips	66
Right-click options	66
Refresh rates	67
Displaying switches in the fabric	67
Working with Web Tools: recommendations	68
Opening a Telnet or SSH client window	69
Collecting logs for troubleshooting	69
Managing Fabrics and Switches	71
In this chapter	71
Fabric and switch management overview	71
Opening the Switch Administration window	73
Refreshing the Switch Administration window	73
Configuring IP and netmask information	74
Netstat Performance	75
Configuring a syslog IP address	75
Removing a syslog IP address	76
Setting up IP Filtering	76
Blade management	77
Enabling or disabling a blade	77
Setting a slot-level IP address	78
Viewing IP addresses	78
Switch configuration	79
Enabling and disabling a switch	79
Changing the switch name	79
Changing the switch domain ID	79
Viewing and printing a switch report	80
Switch restart	80
Performing a fast boot	80
Performing a reboot	80
System configuration parameters	81
Configuring fabric settings	81
Enabling insistent domain ID mode	82
Configuring virtual channel settings	83
Configuring arbitrated loop parameters	83
Configuring system services	84
Configuring signed firmware	84
Licensed feature management	84
Activating a license on a switch	85
Assigning slots for a license key	86
Removing a license from a switch	86
Universal time based licensing	87
High Availability overview	87
Admin Domain considerations	87
Launching the High Availability window	87
Synchronizing Services on the CP	89
Initiating a CP Failover	89
Event monitoring	90
Displaying Switch Events	90
Filtering Switch Events	91
Filtering events by event severity levels	92
Filtering events by message ID	93
Filtering events by service component	93
Displaying the Name Server entries	93
Printing the Name Server entries	94
Displaying Name Server information for a particular device	94
Displaying zone members for a particular device	95
Physically locating a switch using beaconing	95
Locating logical switches using chassis beaconing	96
Virtual Fabrics overview	97
Selecting a logical switch from the Switch View	98
Viewing Logical ports	100
Maintaining Configurations and Firmware	101
In this chapter	101
Creating a configuration backup file	101
Restoring a configuration	103
Admin Domain configuration maintenance	105
Uploading and downloading from USB storage	106
Performing a firmware download	107
SAS and SA firmware download	109
Switch configurations for mixed fabrics	110
Enabling interoperability	111
Managing Administrative Domains	113
In this chapter	113
Administrative domain overview	113
Requirements for Admin Domains	113
User-defined Admin Domains	114
System-defined Admin Domains	114
Admin Domain membership	115
Enabling administrative domains	115
Admin Domain window	116
Opening the Admin Domain window	119
Refreshing fabric information	119
Refreshing Admin Domain information	120
Saving local Admin Domain changes	120
Closing the Admin Domain window	120
Creating and populating domains	121
Creating an Admin Domain	121
Adding ports or switches to the fabric	123
Activating or deactivating an Admin Domain	124
Modifying Admin Domain members	124
Renaming Admin Domains	126
Deleting Admin Domains	126
Clearing the Admin Domain configuration	126
Managing Your Ports	127
In this chapter	127
Port management overview	127
Opening the Port Administration window	127
Port Administration window components	130
Controllable ports	132
Configuring FC ports	133
Allowed Port Types	135
Long distance mode	135
Ingress rate limit	136
FC Fastwrite	136
Assigning a name to a port	136
Enabling and disabling a port	137
Considerations for port enable and disable	137
Persistent enabling and disabling ports	138
Enabling and disabling NPIV ports	138
Port activation	139
Enabling Ports on Demand	140
Enabling Dynamic Ports on Demand	140
Disabling Dynamic Ports on Demand	141
Reserving and releasing licenses on a port basis	141
Port swapping index	142
Port swapping	142
Determining if a port index was swapped with another switch port	142
Configuring BB credits on an F_Port	143
Enabling ISL Trunking	145
In this chapter	145
ISL trunking overview	145
Disabling or enabling ISL trunking	146
Admin Domain considerations	146
Viewing trunk group information	147
F_Port trunk groups	148
Creating and maintaining F_Port trunk groups	148
Monitoring Performance	151
In this chapter	151
Performance Monitor overview	151
Admin Domain considerations	152
Predefined performance graphs	152
User-defined graphs	155
Canvas configurations	155
Opening the Performance Monitoring window	156
Creating basic performance monitor graphs	156
Customizing basic monitoring graphs	157
Advanced performance monitoring graphs	159
Creating SID-DID Performance Graphs	159
Creating a SCSI vs. IP Traffic Graph	161
Creating SCSI command graphs	161
Tunnel and TCP performance monitoring graphs	162
Saving graphs to a canvas	164
Adding graphs to an existing canvas	164
Printing graphs	165
Modifying graphs	165
Administering Zoning	167
In this chapter	167
Zoning overview	167
Basic Zones	168
Traffic Isolation zones	168
LSAN zone requirements	168
QoS zone requirements	168
Zoning configurations	169
Opening the Zone Administration window	169
Setting the default zoning mode	169
Zoning management	169
Refreshing fabric information	171
Refreshing Zone Administration window information	172
Saving local zoning changes	172
Select a zoning view	173
Creating and populating zone aliases	173
Adding and removing members of a zone alias	174
Renaming zone aliases	174
Deleting zone aliases	175
Creating and populating zones	176
Adding and removing members of a zone	176
Renaming zones	177
Cloning zones	177
Deleting zones	178
Creating and populating traffic isolation zones	178
Zone configuration and zoning database management	179
Creating zone configurations	179
Adding or removing zone configuration members	180
Renaming zone configurations	180
Cloning zone configurations	181
Deleting zone configurations	181
Enabling zone configurations	181
Disabling zone configurations	182
Displaying enabled zone configurations	182
Viewing the enabled zone configuration name without opening the Zone Administration window	183
Viewing detailed information about the enabled zone configuration	183
Adding a WWN to multiple aliases and zones	184
Removing a WWN from multiple aliases and zones	184
Replacing a WWN in Multiple Aliases and Zones	185
Searching for zone members	185
Clearing the Zoning Database	186
Zone configuration analysis	186
Best practices for zoning	186
Working With Diagnostic Features	187
In this chapter	187
Trace dumps	187
How a trace dump is used	188
Setting up automatic trace dump transfers	188
Specifying a remote server	189
Enabling automatic transfer of trace dumps	189
Disabling automatic trace uploads	189
Displaying switch information	190
Viewing detailed fan hardware status	190
Viewing the temperature status	191
Viewing the power supply status	191
Checking the physical health of a switch	192
Port LED interpretation	194
Port icon colors	195
LED representations	195
Brocade 48000 Director LEDs	196
Using the FC-FC Routing Service	197
In this chapter	197
Fibre Channel Routing overview	197
Supported switches for Fibre Channel Routing	198
Setting up FC-FC routing	198
FC-FC routing management	199
Opening the FC Routing module	199
Viewing and managing LSAN fabrics	200
Viewing EX_Ports	201
Configuring an EX_Port	203
Editing the configuration of an EX_Port	203
Configuring FCR router port cost	203
Viewing LSAN zones	204
Viewing LSAN Devices	204
Configuring the backbone fabric ID	205
Using the Access Gateway	207
In this chapter	207
Access Gateway overview	207
Viewing switch explorer for Access Gateway mode	208
Access Gateway mode on Brocade Encryption switch	209
Restricted access on Port Administration	209
Enabling Access Gateway mode	211
Disabling Access Gateway mode	212
Viewing the Access Gateway settings	212
Port configuration	213
Creating port groups	213
Editing or Viewing port groups	215
Deleting port groups	216
Defining custom primary and secondary mapping	216
Access Gateway policy modification	217
Path Failover and Failback policies	218
Modifying Path Failover and Failback policies	218
Enabling the Automatic Port Configuration policy	218
Administering Fabric Watch	221
In this chapter	221
Fabric Watch overview	221
Using Fabric Watch with Web Tools	222
Opening the Fabric Watch window	223
Fabric Watch threshold configuration	223
Configuring threshold traits	223
Configuring threshold alarms	225
Enabling or disabling threshold alarms for individual elements	225
Configuring alarms for FRUs	226
Fabric Watch alarm information	227
Viewing an alarm configuration report	227
Displaying alarms	227
E-mail notification	228
Configuring the e-mail server on a switch	228
Configuring the e-mail alert	228
Administering Extended Fabrics	231
In this chapter	231
Extended link buffer allocation overview	231
Configuring a port for long distance	233
Administering the iSCSI Target Gateway	235
In this chapter	235
iSCSI service overview	235
Supported platforms for iSCSI	236
Common iSCSI Target Gateway Admin functions	236
Terminology	237
Saving Changes	238
Setting up iSCSI Target Gateway Services	238
Launching the iSCSI Target Gateway Admin Module	238
Launching the iSCSI setup wizard	240
Activating the iSCSI feature	240
Encryption Services for the iSCSI Gateway	240
Configuring the IP interface	241
Editing an IP Address	242
Configuring the IP route (optional)	243
Editing the IP route	243
Creating iSCSI virtual targets	244
Using Easy Create to create iSCSI virtual targets	245
Editing an iSCSI Target	245
Searching for a specific Fibre Channel target	246
Viewing iSCSI Initiators	246
Discovery Domain management	246
About Discovery Domains (DD)	247
Creating a discovery domain	248
Editing a discovery domain	249
Discovery domain sets (DDSet)	249
Creating a discovery domain set	249
Editing a Discovery Domain Set	250
CHAP Configuration	250
Creating a CHAP user	251
Editing a CHAP secret	251
Binding or Removing CHAP users	252
Connection redirection	252
Enabling or disabling connection redirection	252
iSCSI Fibre Channel Zone configuration	253
Creating an iSCSI Fibre Channel zone with no effective zone configuration	254
Creating an iSCSI Fibre Channel zone with an effective zone configuration	255
Managing and Troubleshooting Accessibility	255
Routing Traffic	257
In this chapter	257
Routing overview	257
Viewing Fabric Shortest Path First routing	258
Configuring dynamic load sharing	258
Specifying frame order delivery	259
Configuring the link cost for a port	260
Configuring Standard Security Features	261
In this chapter	261
User-defined accounts	261
Virtual Fabrics considerations	262
Admin Domain considerations	262
Viewing user account information	263
Creating user-defined accounts	263
Deleting user-defined accounts	266
Changing user account parameters	266
Maintaining passwords	267
Access control list policy configuration	271
Virtual Fabrics considerations	271
Admin Domain considerations	272
Creating an SCC, DCC, or FCS policy	272
Editing an SCC, DCC, or FCS policy	273
Deleting all SCC, DCC, FCS policies	274
Activating all SCC, DCC, FCS policies	274
Distributing an SCC, DCC, or FCS policy	274
Moving an FCS policy switch position	274
Fabric-Wide Consistency Policy configuration	275
Authentication policy configuration	276
Configuring authentication policies for E_Ports	276
Configuring authentication policies for F_Ports	277
Distributing authentication policies	277
Re-authenticating policies	278
Setting a shared secret key pair	278
Modifying a shared secret key pair	279
Setting the Switch Policy Authentication Mode	279
SNMP configuration	279
Setting SNMP Trap Levels	279
Changing the systemGroup configuration parameters	280
Setting SNMPv1 configuration parameters	281
Setting SNMPv3 configuration parameters	281
Changing the access control configuration	281
RADIUS service management	282
Enabling and Disabling RADIUS Service	283
Configuring the RADIUS Service	284
Modifying the RADIUS Server	284
Modifying the RADIUS Server Order	285
Removing a RADIUS Server	285
Active Directory service management	285
Enabling Active Directory service	285
Modifying Active Directory service	286
Removing Active Directory service	286
IPSec Concepts	287
Transport mode and tunnel mode	288
IPSec header options	289
Basic IPSec configurations	290
Internet Key Exchange (IKE) Concepts	291
IPSec over FCIP	294
Accessing the IPSec Policies dialog box	294
Establishing an IKE policy for an FCIP tunnel	295
Establishing an IPSec policy for an FCIP tunnel	296
IPSec over management ports	297
Accessing the Ethernet IPSec Policies dialog box	297
Enabling IPSec	298
Establishing an IKE policy	298
Creating a security association (SA)	299
Creating an SA proposal	300
Adding an IPSec transform policy	301
Adding an IPSec selector	304
Manually creating an SA	306
Editing an IKE or IPSec policy	307
Deleting an IKE or IPSec policy	307
Establishing authentication policies for HBAs	308
Administering FICON CUP Fabrics	311
In this chapter	311
FICON CUP fabrics overview	311
Enabling port-based routing	312
Enabling or disabling FICON Management Server mode	313
FMS parameter configuration	314
Configuring FMS mode parameters	315
Displaying code page information	315
Viewing the control device state	316
CUP port connectivity configuration	317
Viewing CUP Port Connectivity Configurations	317
Creating or Editing CUP Port Connectivity Configurations	317
Activating a CUP Port Connectivity Configuration	319
Copying a CUP Port Connectivity Configuration	319
Deleting a CUP Port Connectivity Configuration	320
Displaying Request Node Identification Data (RNID)	321
Configuring FCoE features	323
In this chapter	323
FCoE overview	324
Port information that is unique to FCoE	324
Switch Administration panel tab for FC0E	325
The CEE tab	326
Port Administration panel tabs for FCoE	327
FC0E configuration tasks	329
Quality of Service (QoS) configuration	330
Adding a CEE map	330
Adding a traffic class map	332
LLDP-DCBX configuration	334
Configuring global LLDP characteristics	334
Adding an LLDP profile	335
Configuring CEE interfaces	338
Configuring a link aggregation group (LAG)	340
Configuring VLANs	342
Configuring FCoE login groups	344
Displaying FCoE Port Information	346
Displaying LAG information	348
Displaying VLAN information	349
Displaying FCoE login groups	349
Displaying QoS information	349
Displaying LLDP-DCBX information	350
Displaying CEE interface statistics	351
Enabling and disabling a CEE interface	355
Enabling and disabling a LAG	355
Enabling and disabling LLDP	356
Enabling and disabling QoS priority-based flow control	356
Enabling and disabling FCoE ports	356
Limitations	359
In this chapter	359
General Web Tools limitations	359

Match case Limit results 1 per page

Web Tools Administrator’s Guide

259

53-1001343-01

IPSec Concepts

Internet Key Exchange (IKE) Concepts

Key exchange is used to authenticate the end points of an IP connection, and to determine security

policies for IP traffic over the connection. The initiating node proposes a policy based on the

following:

•

An encryption algorithm to protect data.

•

A hash algorithm to check the integrity of the authentication data.

•

A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for

additional cryptographic strength.

•

An authentication method requiring a digital signature, and optionally a certificate exchange.

•

A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret

key.

Encryption algorithms

An encryption algorithm is used to encrypt messages used in the IKE negotiation.

Table 20

lists the

available encryption algorithms. A brief description is provided. If you need further information,

please refer to the RFC.

Hash algorithms

Hash message authentication codes (HMAC) check data integrity through a mathematical

calculation on a message using a hash algorithm combined with a shared, secret key. The sending

computer uses the hash function and shared key to compute a checksum or code for the message,

and sends it to the receiving computer. The receiving computer must perform the same hash

function on the received message and shared key and compare the result. If the hash values are

different, it indicates that a third party may have tampered with the message in transit, and the

packet is rejected.

TABLE 20

Encryption algorithm options

Encryption Algorithm

Description

RFC Number

3des_cbc

3DES processes each block three times, using

a unique 56-bit key each time.

RFC 2451

null_enc

No encryption is performed.

aes128_cbc

Advanced Encryption Standard (AES) 128 bit

block cipher.

RFC 4869

aes256_cbc

Advanced Encryption Standard (AES) 256 bit

block cipher.

RFC 4869

TABLE 21

Hash algorithm options

Hash Algorithm

Description

RFC/Publication Number

aes_xcbc

Uses a cypher block and extended cypher block

chaining (CBC).

RFC 3566

hmac_md5

The MD5 computation produces a 128-bit

hash.

RFC 1321

hmac_sha1

The SHA1 computation produces a 160-bit

hash.

FIPS Pub 180-1