Home » HP Manuals » Storage Devices » HP StorageWorks 2/16V » Manual Viewer

HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.2.x administrator guide (569 - Page 103

Configuring advanced security, About Access Control List (ACL) policies

View all HP StorageWorks 2/16V manuals

Add to My Manuals
Save this manual to your list of manuals

Page 103 highlights

5 Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0. For information about licensed security features available in Secure Fabric OS, see the Secure Fabric OS Administrator's Guide. About Access Control List (ACL) policies Fabric OS provides the following policies: • Device Connection Control (DCC) policies-Used to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports. • Switch Connection Control (SCC) policy-Used to restrict which switches can join the switch. Each supported policy is identified by a specific name, and only one policy of each type can exist (except for DCC policies). Policy names are case sensitive and must be entered in all uppercase. How the ACL policies are stored The policy are stored in a local database. The database contains both ACL policies types (SCC and DCC). The policy are grouped by state and type. A policy can be in the following state: • Active-The policy is being enforced by the switch. • Defined-The policy has been set up but is not enforced. A group of policies is called a Policy Set. Each switch has the following two sets: • Active policy set-Contains ACL policies being enforced by the switch. • Defined policy set-Contains a copy of all ACL policies on the switch. When you activate a policy, the defined policy either replaces the policy with the same name in the active set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the policy was saved but has not been activated. If a policy with the same name appears in both the defined and active sets but they have different values, then the policy has been modified but the changes have not been activated. Identifying policy members Specify policy members by device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 24. Table 24 Valid methods for specifying policy members Policy name DCC_POLICY_nnn SCC_POLICY Device Switch port WWN WWN Yes Yes No Yes Domain ID Switch name Yes Yes Yes Yes Fabric OS 5.2.x administrator guide 103

Section	Page
Contents	3
Supported HP StorageWorks hardware	15
Table 1 Switch model naming matrix	15
Intended audience	16
Related documentation	16
Glossary of terms	16
Document conventions and symbols	16
Table 2 Document conventions	16
HP technical support	17
HP-authorized reseller	17
Helpful web sites	17
Introducing Fabric OS CLI procedures	19
About procedural differences	19
Scope and references	19
About the CLI	20
Help information	21
Displaying command Help	21
Displaying additional Help topics	21
Table 3 Help file commands (continued)	21
Performing basic configuration tasks	23
Connecting to the CLI	23
Using telnet or SSH session	23
How to connect via telnet	23
Using a console session on the serial port	24
How to connect via the serial port	24
Setting the default account passwords	24
Table 4 Default administrative account names and passwords	25
Changing default passwords summary	25
How to change default passwords at login	26
Configuring the Ethernet interface	26
How to display network interface settings	27
Static Ethernet addressing summary	27
How to set static addresses for the Ethernet network interface	27
Configuring DHCP	28
DHCP summary	28
How to enable DHCP	28
How to disable DHCP	28
Setting the date and time	29
Setting time zones	29
How to set the time zone	30
How to set the time zone interactively	31
Synchronizing local time	32
How to synchronize local time with an external source	32
Maintaining licensed software features	33
How to generate or activate a license key	34
Figure 1 HP StorageWorks license key screen	34
How to remove a licensed feature	35
Customizing a switch name	36
How to customize the switch name	36
Customizing the chassis name	37
How to change the chassis name	37
Working with domain IDs	37
How to display domain IDs	38
How to set the domain ID	38
Ports on Demand license summary for applicable switches	39
Table 5 Ports enabled with Ports on Demand licenses	39
Activating Ports on Demand	39
Configuring Dynamic Ports on Demand	40
How Dynamic Ports on Demand works	40
Displaying the Port license assignment	40
Activating Dynamic Ports on Demand	41
Disabling Dynamic Ports on Demand	41
Managing licenses	42
Reserving a license	42
Releasing a port	43
Disabling and enabling a switch	44
How to disable a switch	44
How to enable a switch	44
Disabling and enabling a port	44
How to disable a port	44
How to enable a port	45
Making basic connections	45
Connecting to devices	45
Connecting to other switches	45
Linking through a gateway	46
How to configure a link through a gateway	46
Checking status	47
How to verify switch operation	47
How to verify high-availability features	47
How to verify fabric connectivity	47
How to verify device connectivity	47
Tracking and controlling switch changes	48
How to enable the track changes feature	48
How to display the status of the track changes feature	49
How to view the switch status policy threshold values	49
How to set the switch status policy threshold values	50
Configuring the audit log	51
Auditable Event Classes	51
Table 6 AuditCfg Event Class Operands	52
How to verify host syslog prior to configuring the audit log	52
How to configure an audit log for specific event classes	53
Shutting down switches and Directors	53
To power off a Director gracefully (Prior to 5.1.0)	53
To power off a switch gracefully (5.1.0 and later)	54
High availability of daemon processes	54
Table 7 List of daemons that are automatically restarted	54
Managing user accounts	55
Overview	55
Accessing the management channel	55
Table 8 Maximum number of simultaneous sessions	55
Using role-based access control (RBAC)	55
Table 9 Fabric OS 5.2.x roles	55
Role Permissions	56
Table 10 Permission types	56
Table 11 RBAC permissions matrix (continued)	56
Configuring the authentication model	58
Table 12 Authentication configuration options	58
How to set the switch authentication model	58
Managing the local database user accounts	58
About the default accounts	59
Table 13 Default Local User Accounts	59
Defining local user accounts	59
How to display account information	59
How to create an account	60
How to delete an account	60
How to change account parameters	61
How to add an administrative domain to the account	61
How to remove an administrative domain from the account	61
Recovering accounts	62
How to recover an account	62
Changing local account passwords	62
How to change the password for the current login account	62
How to change the password for a different account	63
Configuring the local user database	63
Distributing the local user database	63
How to distribute the local user database	63
Protecting the local user database from distributions	63
How to accept the user database	64
How to reject distributed user databases	64
Configuring password policies	64
How to set the password strength policy	64
How to set the password history policy	65
How to set the password expiration policy	65
Upgrade and downgrade considerations	66
How to set the account lockout policy	66
Managing Fabric OS users on the RADIUS server	66
Switch to RADIUS server interaction	66
Creating Fabric OS user accounts	67
Table 14 Syntax for VSA-based account roles	67
Windows 2000 IAS	68
Linux FreeRadius server	68
Table 15 dictionary.brocade file entries	68
RADIUS configuration and admin domains	69
Setting up RADIUS AAA service	69
Configuring the RADIUS server	70
Linux	71
How to add the Brocade attribute to the server	71
How to create the user	71
How to enable clients	72
Windows 2000	72
How to enable CHAP	72
How to configure RADIUS users	73
How to configure the RADIUS server	73
Configuring RADIUS servers on the switch	74
How to display the current RADIUS configuration	75
How to add a RADIUS server to the switch configuration	75
How to enable and disable a RADIUS server	76
How to delete a RADIUS server from the configuration	76
How to change a RADIUS server configuration	76
How to change the order in which RADIUS servers are contacted for service	76
Enabling and disabling local authentication as backup	77
Setting the boot PROM password	77
SSSetting the boot PROM password with a recovery String	77
4/8 and 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router	77
How to set the boot PROM password for a switch with a recovery string	77
SAN Director 2/128 and 4/256 SAN Director	78
How to set the boot PROM password for a Director with a recovery string	78
How to set the boot PROM password for a Director without a recovery string	79
4/8 and 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router	79
How to set the boot PROM password for a switch without a recovery string	79
How to set the boot PROM password for a Director without a recovery string	80
Recovering user, admin, and factory passwords	81
How to recover passwords	81
Configuring standard security features	83
Secure protocols	83
Table 16 Secure protocol support	83
Table 17 Items needed to deploy secure protocols	83
Table 18 Main security scenarios	84
Ensuring network security	84
Configuring the telnet interface	85
How to disable telnet	85
How to enable telnet	85
Blocking listeners	86
Table 19 Blocked Listener Applications	86
Accessing switches and fabrics	86
Table 20 Access defaults	86
Port Configuration	87
Table 21 Port information	87
Configuring for the SSL protocol	87
Browser and Java support	88
Summary of SSL procedures	88
Table 22 SSL Certificate Files	88
Choosing a certificate authority	88
Generating a public/private key	89
Generating and storing a CSR	89
Obtaining certificates	90
Installing a switch certificate	90
Activating a switch certificate	91
Configuring the browser	91
To check and install root certificates on Internet Explorer	91
To check and install root certificates on Mozilla	91
Installing a root certificate to the Java Plug-in	92
Displaying and deleting certificates	92
Table 23 Commands for Displaying and Deleting SSL Certificates	92
Troubleshooting certificates	93
Table 24 SSL Messages and Actions	93
Configuring SNMP	93
Setting the security level	94
Using the snmpConfig command	94
Using legacy commands for SNMPv1	97
Configuring secure file copy	101
Configuring advanced security	103
About Access Control List (ACL) policies	103
How the ACL policies are stored	103
Identifying policy members	103
Table 24 Valid methods for specifying policy members	103
Configuring ACL policies	104
Displaying ACL policies	105
Configuring a DCC policy	105
Table 25 DCC policy states	105
DCC policy restrictions	106
Creating a DCC policy	106
Examples of creating DCC policies	107
Creating an SCC policy	107
Table 26 SCC policy states	108
Saving changes to ACL policies	108
Activating changes to ACL policies	108
Adding a member to an existing policy	109
Removing a member from a policy	109
Deleting a policy	109
Aborting all uncommitted changes	110
Distributing the policy database	110
Table 27 Interaction between fabric-wide consistency policy and distribution settings	110
Configuring the database distribution settings	111
Table 28 Supported Databases Starting in Fabric OS 5.2.x	111
Distributing ACL policies to other switches	112
Table 29 ACL policy database distribution behavior	112
Setting the consistency policy fabric-wide	113
Table 30 Fabric-wide consistency policy settings	113
Notes on joining a switch to the fabric	114
Matching fabric-wide consistency policies	115
Table 31 Merging fabrics with matching fabric-wide consistency policies	115
Non-matching fabric-wide consistency policies	116
Table 32 Examples of strict fabric merges	116
Table 33 Fabric merges with tolerant/absent combinations	116
Maintaining configurations	117
Displaying configuration settings	117
Backing up a configuration	117
Troubleshooting configuration upload	119
Restoring switch information	119
Table 34 CLI Commands to display switch configuration information	119
Restoring a configuration	119
Configuration download without disabling a switch	120
Security considerations	121
Troubleshooting configuration download	121
Messages captured in the logs	121
Restoring configurations in a FICON environment	122
Table 35 Backup and restore in a FICON CUP environment	122
Downloading configurations across a fabric	122
4/256 SAN Director configuration form	123
Table 36 Configuration and connection	123
Table 37 FC port configuration setting	124
Table 38 FC port configuration setting	125
Managing administrative domains	127
About administrative domains	127
Figure 2 Fabric with two admin domains	128
Figure 3 Filtered fabric views	128
Admin domain features	128
Requirements for admin domains	129
User-defined Administrative domains	129
System-defined administrative domains	130
AD0	130
AD255	130
Figure 4 Fabric with AD0 and AD255	131
Admin domain access levels	131
Table 39 AD user types	131
Admin domains and login	132
Admin domain member types	132
Device members	132
Switch port members	133
Switch members	133
Admin Domains and switch WWN	133
Figure 5 Fabric showing switch and device WWNs	134
Figure 6 Filtered fabric views showing converted switch WWNs	134
Admin domain compatibility and availability	135
Admin domains and merging	135
Compatibility	135
Figure 7 Isolated subfabrics	135
Firmware upgrade and downgrade scenarios	135
Managing admin domains	136
Understanding the AD transaction model	136
Implementing admin domains	137
Creating an admin domain	137
Assigning a user to an admin domain	138
Activating and deactivating admin domains	139
Adding and removing admin domain members	140
Renaming an Admin Domain	141
Deleting an Admin Domain	141
Deleting all user-defined Admin Domains	142
Validating an Admin Domain member list	142
Using Admin Domains	143
Using CLI commands in an AD context	143
Table 40 Ports and devices in CLI output	143
Executing a command in a different AD context	143
Displaying an Admin Domain configuration	144
Switching to a different Admin Domain context	144
Performing zone validation	145
Admin Domain interactions	145
Table 41 Admin Domain interaction with Fabric OS features (continued)	145
Admin Domains, zones, and zone databases	146
Admin Domains and LSAN zones	147
Configuration upload and download in an AD context	148
Table 42 Configuration upload and download scenarios in an AD context	148
Installing and maintaining firmware	149
About the firmware download process	149
Upgrading and downgrading firmware	149
Effects of firmware changes on accounts and passwords	150
Table 43 Effects of firmware changes on accounts and passwords	150
Considerations for FICON CUP environments	150
Preparing for a firmware download	150
Checking connected switches	152
Obtaining and decompressing firmware	152
Performing firmware download on switches	152
Summary of the firmware download process	153
4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch and 400 MP Router firmware download procedure	153
Summary of firmware downloads on Director models	155
Summary of the firmware download process for Directors	155
SAN Director 2/128 and 4/256 SAN Director firmware download procedure	156
Testing and restoring firmware on switches	160
Testing and restoring firmware-on Directors	161
Validating the firmware download	164
Troubleshooting firmware download	165
Downgrading firmware from Fabric OS 5.2.x	165
Pre-installation messages	166
Blade troubleshooting tips	175
Synchronizing firmware versions on partitions	175
FTP server recommendations	175
Configuring Directors	177
Identifying ports	177
By slot and port number	178
By port area ID	178
By index	178
Table 44 Default index/area_ID Core PID assignment with no port swap (continued)	179
Table 45 Default index/area extended-edge PID assignment with no port swap (continued)	180
Basic blade management	182
Powering port blades off and on	182
Disabling and enabling port blades	182
400 MP Router exceptions	183
B-Series MP Router blade (FR4-18i) exceptions	183
FC4-48 blade exceptions	183
Conserving power	183
Blade terminology and compatibility	184
Table 46 Director terminology and abbreviations	184
CP blades	185
Port blade compatibility	185
Setting chassis configuration options	185
Table 47 Blades Supported by Each Director	185
Table 48 Supported configuration options	186
Table 49 Configuration options and resulting slot configurations	186
Obtaining slot information	187
Configuring a new SAN Director 2/128 with two domains	188
Converting an installed SAN Director 2/128 to support two domains	189
Setting the blade beacon mode	190
Routing traffic	191
About data routing and routing policies	191
Specifying the routing policy	191
Assigning a static route	192
Specifying frame order delivery	192
Using Dynamic Load Sharing	193
Viewing routing path information	194
Viewing routing information along a path	196
Using the FC-FC routing service	199
Supported platforms	199
Fibre Channel routing concepts	199
Figure 8 A metaSAN with edge-to-edge and backbonef fabrics	199
Figure 9 A metaSAN with interfabric links	201
Figure 10 Edge SANs connected through a backbone fabric	202
Front domain consolidation	202
Supported configurations and platforms	202
Upgrade and downgrade considerations	203
Using front domain consolidation	203
Range of output ports	204
Support	204
Proxy devices	204
Figure 11 metaSAN with imported devices	205
Routing types	205
Fibre Channel NAT and phantom domains	206
Setting up the FC-FC routing service	206
Performing verification checks	207
Assigning backbone fabric IDs	208
Configuring FCIP tunnels (optional)	209
Configuring FC-FC routing to work with Secure Fabric OS (optional)	209
Configuring Secure Fabric OS DH-CHAP secret	209
Configuring an interfabric link	211
Configuring LSANs and zoning	216
Use of administrative domains with LSAN Zones and FCR	216
Defining and naming zones	216
LSAN Zones and fabric-to-fabric communications	216
Configuring backbone fabrics for Interconnectivity	219
Optional configuration procedures	219
FC router port cost (optional)	219
Using router port cost	219
Upgrade, downgrade, and HA considerations	220
Port cost considerations	220
Setting a proxy PID	221
Matching fabric parameters	221
EX_Port frame trunking (optional)	222
Supported configurations and platforms	222
High Availability support	222
Backward Compatibility Support	222
Upgrade and Downgrade Considerations	223
Table 50 Trunking upgrade and downgrade considerations	223
Using EX_Port Frame trunking	223
Security considerations	223
Trunking commands	223
Monitoring resources	224
Routing ECHO	226
Upgrade and downgrade considerations	226
Interoperability with legacy FCR switches	227
Backward compatibility	227
Table 51 Hardware and firmware compatibility for nonsecure fabrics	227
Connecting to HP M-Series or McDATA SANs	228
Supported platforms and configurations	228
Configuring the fabrics for interconnectivity	228
Connectivity modes	229
Table 52 portCfgExPort -m values	229
Configuring the FC router	229
Figure 12 EFCM SAN status	232
Configuring M-Series or McDATA for interconnection	232
Figure 13 SAN Pilot and EFCM zone screens	233
Figure 14 Pending Zone Set list in SAN Pilot and EFCM zone screens	234
Figure 15 Adding a zone set name in SAN Pilot	235
LSAN zoning with McDATA	235
Completing the configuration	236
Administering FICON fabrics	239
Overview of Fabric OS support for FICON	239
Supported switches	240
4/256 Director and SAN Switch 4/32 FICON notes	240
Types of FICON configurations	241
Control Unit Port (CUP)	241
FICON commands	242
Table 53 Fabric OS commands related to FICON and FICON CUP	242
Security considerations	243
Configuring switches	243
Preparing a switch	244
Configuring a single switch	244
Configuring a high-integrity fabric	244
Figure 16 Cascaded configuration, two switches	245
Figure 17 Cascaded configuration, three switches	245
Setting a unique domain ID	245
Displaying information	246
Link incidents	246
Registered listeners	246
Node identification data	246
FRU failures	247
Swapping ports	247
Clearing the FICON management database	247
Using FICON CUP	248
Setup summary	248
Enabling and disabling FICON management server mode	249
Setting up CUP when FICON management server mode is enabled	250
Displaying the fmsmode setting	250
Displaying mode register bit settings	251
Table 54 FICON CUP mode register bits	251
Setting mode register bits	252
Persistently enabling/disabling ports	252
Port and switch naming standards	253
Adding and removing FICON CUP licenses	253
Zoning and PDCM considerations	253
Zoning and link incident reporting	253
Backing up and restoring configurations	253
Troubleshooting	254
Identifying ports	254
Backing up FICON files	255
Recording configuration information	255
Table 55 FICON® switch configuration worksheet	256
Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches	257
Sample RMF configuration file for mainframe	258
Configuring the distributed manager server	261
Enabling and disabling the platform services	261
Controlling access	262
Configuring the server database	264
Controlling topology discovery	265
Working with diagnostic features	267
About Fabric OS diagnostics	267
Viewing Power-on Self Tests	267
Viewing switch status	268
Viewing port information	270
Viewing equipment status	273
Viewing the system message log	274
Viewing the port log	275
Configuring for syslogd	276
Configuring the host	276
Table 56 Fabric OS to UNIX message severities	276
Configuring the switch	277
Viewing and saving diagnostic information	278
Setting up automatic trace dump transfers	278
Troubleshooting	281
Most common problem areas	281
Table 57 Common troubleshooting problems and tools	281

Match case Limit results 1 per page

Fabric OS 5.2.x administrator guide

103

Configuring advanced security

This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security

feature, Access Control Lists (ACL) policies for FC port and switch binding.

NOTE:

Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if

Administrative Domains have not been implemented log in to AD 0.

For information about licensed security features available in Secure Fabric OS, see the

Secure Fabric OS

Administrator’s Guide

About Access Control List (ACL) policies

Fabric OS provides the following policies:

•

Device Connection Control (DCC) policies—Used to restrict which Fibre Channel device ports can

connect to which Fibre Channel switch ports.

•

Switch Connection Control (SCC) policy—Used to restrict which switches can join the switch.

Each supported policy is identified by a specific name, and only one policy of each type can exist (except

for DCC policies). Policy names are case sensitive and must be entered in all uppercase.

How the ACL policies are stored

The policy are stored in a local database. The database contains both ACL policies types (SCC and DCC).

The policy are grouped by state and type.

A policy can be in the following state:

•

Active—The policy is being enforced by the switch.

•

Defined—The policy has been set up but is not enforced.

A group of policies is called a Policy Set.

Each switch has the following two sets:

•

Active policy set—Contains ACL policies being enforced by the switch.

•

Defined policy set—Contains a copy of all ACL policies on the switch.

When you activate a policy, the defined policy either replaces the policy with the same name in the active

set or becomes a new active policy. If a policy appears in the defined set but not in the active set, the

policy was saved but has not been activated. If a policy with the same name appears in both the defined

and active sets but they have different values, then the policy has been modified but the changes have not

been activated.

Identifying policy members

Specify policy members by device port WWN, switch WWN, domain IDs, or switch names, depending

on the policy. The valid methods for specifying policy members are listed in

Table 24

Valid methods for specifying policy members

Policy name

Device

port WWN

Switch

WWN

Domain ID

Switch

name

DCC_POLICY_

nnn

Yes

SCC_POLICY

Yes