Home » HP Manuals » Storage Devices » HP StorageWorks 2/16V » Manual Viewer

HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.3.x administrator guide (569 - Page 401

Configuring IPSec, Definition

View all HP StorageWorks 2/16V manuals

Add to My Manuals
Save this manual to your list of manuals

Page 401 highlights

Table 100 IPSec terminology Term MAC HMAC SA Definition Message Authentication Code is a key-dependent, one-way hash function used for generating and verifying authentication data. A stronger MAC because it is a keyed hash inside a keyed hash. Security association is the collection of security parameters and authenticated keys that are negotiated between IPSec peers. The following limitations apply to using IPSec: • IPv6, NAT, and AH are not supported. • You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same port as a secure tunnel. • IPSec specific statistics are not supported. • Fastwrite and tape pipelining cannot be used in conjunction with secure tunnels. • To change the configuration of a secure tunnel, delete the tunnel and re-create it with the desired options. • Jumbo frames are not supported for IPSec. • There is no RAS message support for IPSec. • Only a single route is supported on an interface with a secure tunnel. Configuring IPSec IPSEC requires predefined configurations for IKE and IPSEC. You can enable IPSEC only when these configurations are well-defined and properly created in advance. The following steps provide an overview of the IPSec protocol. All of these steps require that the correct policies have been created. Because policy creation is an independent procedure from FCIP tunnel creation, you must know which IPSec configurations have been created. This ensures that you choose the correct configurations when you enable an IPSEC tunnel. • Some traffic from an IPSec peer with the lower local IP address initiates the IKE negotiation process. • IKE negotiates SAs and authenticates IPSec peers during phase 1 that sets up a secure channel for negotiation of phase 2 (IPSec) SAs. • IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA parameters include encryption and authentication algorithms, Diffie-Hellman group and SA lifetimes. • Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database. • IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out. The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies have been created, you assign the policies when creating the FCIP tunnel. IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters. You can delete and recreate any policy as long as the policy is not being used by an active FCIP tunnel. Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as any other tunnel. Only one IPSec tunnel can be configured for each GbE port. Fabric OS 5.3.0 administrator guide 407

Section	Page
Contents	3
Supported HP StorageWorks hardware	17
Table 1 Switch model naming matrix	17
Intended audience	17
Related documentation	17
Glossary of terms	18
Document conventions and symbols	18
Table 2 Document conventions	18
HP technical support	19
HP-authorized reseller	19
Helpful web sites	19
Introducing Fabric OS CLI procedures	21
About procedural differences	21
Scope and references	21
About the CLI	22
Help information	23
Displaying command Help	23
Displaying additional Help topics	23
Table 3 Help file commands	23
Performing basic configuration tasks	25
Connecting to the CLI	25
Using telnet or SSH session	25
How to connect via telnet	25
Using a console session on the serial port	26
How to connect via the serial port	26
Setting the default account passwords	26
Table 4 Default administrative account names and passwords	27
Changing default passwords summary	27
How to change default passwords at login	28
Configuring the Ethernet interface	28
How to display network interface settings	29
Static Ethernet addressing summary	29
How to set static addresses for the Ethernet network interface	30
Configuring DHCP	30
DHCP summary	31
How to enable DHCP	31
How to disable DHCP	31
Setting the date and time	32
Setting time zones	32
How to set the time zone	33
How to set the time zone interactively	34
Synchronizing local time using Network Time Protocol (NTP)	35
How to synchronize local time with an external source	36
Maintaining licensed software features	36
How to generate or activate a license key	37
Figure 1 HP StorageWorks license key screen	37
How to remove a licensed feature	38
Customizing a switch name	39
How to customize the switch name	39
Customizing the chassis name	40
How to change the chassis name	40
Working with domain IDs	40
How to display domain IDs	41
How to set the domain ID	41
Activating ports on demand	42
Table 5 Ports enabled with Ports on Demand licenses	42
How to activate Ports on Demand	43
Configuring Dynamic Ports on Demand (DPOD)	43
Port assignments and licenses	43
Displaying the port license assignment	43
Activating Dynamic Ports on Demand	44
Disabling Dynamic Ports on Demand	44
Managing POD licenses	45
Reserving a license	45
Releasing a port	46
Disabling and enabling a switch	47
How to disable a switch	47
How to enable a switch	47
Disabling and enabling a port	47
How to disable a port	47
How to enable a port	48
Making basic connections	48
Connecting to devices	48
Connecting to other switches	48
Linking through a gateway	49
How to configure a link through a gateway	49
Checking status	50
How to verify switch operation	50
How to verify high-availability features	50
How to verify fabric connectivity	50
How to verify device connectivity	50
How to show switches in Access Gateway mode	51
Tracking and controlling switch changes	51
How to enable the track changes feature	51
How to display the status of the track changes feature	52
How to view the switch status policy threshold values	52
How to set the switch status policy threshold values	53
Configuring the audit log	54
Auditable event classes	55
Table 6 AuditCfg Event Class Operands	55
How to verify host syslog prior to configuring the audit log	56
How to configure an audit log for specific event classes	56
Shutting down switches and Directors	57
To power off a Director gracefully (Prior to 5.1.0)	57
To power off a switch gracefully (5.1.0 and later)	57
High availability of daemon processes	58
Table 7 List of daemons that are automatically restarted	58
Managing user accounts	59
Overview	59
Accessing the management channel	59
Table 8 Maximum number of simultaneous sessions	59
Using role-based access control (RBAC)	59
Table 9 Fabric OS 5.3.0 roles	59
Role Permissions	60
Table 10 Permission types	60
Table 11 RBAC permissions matrix (continued)	60
Configuring the authentication model	63
Table 12 Authentication configuration options	63
How to set the switch authentication model	63
Managing the local database user accounts	63
About the default accounts	64
Table 13 Default local user accounts	64
Defining local user accounts	64
How to display account information	64
How to create an account	65
How to delete an account	65
How to change account parameters	66
How to add an administrative domain to the account	66
How to remove an administrative domain from the account	66
Recovering accounts	67
How to recover an account	67
Changing local account passwords	67
How to change the password for the current login account	67
How to change the password for a different account	68
Configuring the local user database	68
Distributing the local user database	68
How to distribute the local user database	68
Protecting the local user database from distributions	68
How to accept the user database	69
How to reject distributed user databases	69
Configuring password policies	69
How to set the password strength policy	69
How to set the password history policy	70
How to set the password expiration policy	70
Upgrade and downgrade considerations	71
How to set the account lockout policy	71
Managing Fabric OS users on the RADIUS server	72
Switch to RADIUS server interaction	72
Creating Fabric OS user accounts	72
Table 14 Syntax for VSA-based account roles (continued)	72
Windows 2000 IAS	73
Linux FreeRadius server	73
Table 15 Dictionary.brocade file entries	73
RADIUS configuration and admin domains	74
Setting up RADIUS AAA service	74
Configuring the RADIUS server	75
Linux	75
How to add the Brocade attribute to the server	76
How to create the user	76
How to enable clients	76
Windows 2000	77
How to enable CHAP	77
How to configure RADIUS users	77
How to configure the RADIUS server	78
Configuring RADIUS servers on the switch	79
How to display the current RADIUS configuration	79
How to add a RADIUS server to the switch configuration	80
How to enable and disable a RADIUS server	80
How to delete a RADIUS server from the configuration	80
How to change a RADIUS server configuration	81
How to change the order in which RADIUS servers are contacted for service	81
Enabling and disabling local authentication as backup	81
Setting the boot PROM password	82
SSSetting the boot PROM password with a recovery String	82
4/8 and 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch, 4/32B SAN Switch and 400 MP Router	82
How to set the boot PROM password for a switch with a recovery string	82
SAN Director 2/128 and 4/256 SAN Director	83
How to set the boot PROM password for a Director with a recovery string	83
How to set the boot PROM password for a Director without a recovery string	84
4/8 and 4/16 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch, 4/32B SAN Switch and 400 MP Router	84
How to set the boot PROM password for a switch without a recovery string	84
How to set the boot PROM password for a Director without a recovery string	84
Recovering user, admin, and factory passwords	85
How to recover passwords	85
Configuring standard security features	87
Secure protocols	87
Table 16 Secure protocol support	87
Table 17 Items needed to deploy secure protocols	87
Table 18 Main security scenarios	88
Ensuring network security	88
Configuring the telnet interface	89
How to disable telnet	89
How to enable telnet	89
Blocking listeners	90
Table 19 Blocked listener applications	90
Accessing switches and fabrics	91
Table 20 Access defaults	91
Port configuration	91
Table 21 Port information	91
Configuring for the SSL protocol	92
Browser and Java support	92
Summary of SSL procedures	92
Table 22 SSL Certificate Files	93
Choosing a certificate authority	93
Generating a public/private key	93
Generating and storing a CSR	94
Obtaining certificates	94
Installing a switch certificate	95
Activating a switch certificate	95
Configuring the browser	96
To check and install root certificates on Internet Explorer	96
To check and install root certificates on Mozilla	96
Installing a root certificate to the Java Plug-in	96
Displaying and deleting certificates	97
Table 23 Commands for displaying and deleting SSL certificates	97
Troubleshooting certificates	97
Table 24 SSL messages and actions	97
Configuring SNMP	98
Setting the security level	99
Using the snmpConfig command	99
Using legacy commands for SNMPv1	102
Configuring secure file copy	106
Maintaining configurations	107
Displaying configuration settings	107
Backing up a configuration	107
Troubleshooting configuration upload	109
Restoring switch information	109
Table 25 CLI Commands to display switch configuration information	109
Restoring a configuration	109
Configuration download without disabling a switch	110
Security considerations	111
Troubleshooting configuration download	111
Messages captured in the logs	111
Restoring configurations in a FICON environment	112
Table 26 Backup and restore in a FICON CUP environment	112
Downloading configurations across a fabric	112
4/256 SAN Director configuration form	113
Table 27 Configuration and connection	113
Table 28 FC port configuration setting	114
Table 29 FC port configuration setting	115
Configuring advanced security	117
About access control list (ACL) policies	117
How the ACL policies are stored	117
Identifying policy members	118
Table 30 Valid methods for specifying policy members	118
Configuring ACL policies	118
Displaying ACL policies	119
Configuring an FCS policy	119
Table 31 FCS policy states	119
FCS policy restrictions	120
Table 32 Switch operations	120
Overview of steps to create and manage the FCS policies	121
Modifying the primary FCS	121
Distributing an FCS policy	122
Table 33 Distribution policy states	122
Configuring a DCC policy	123
Table 34 DCC policy states	123
DCC policy restrictions	123
Creating a DCC policy	124
Examples of creating DCC policies	124
Creating an SCC policy	125
Table 35 SCC policy states	125
Saving changes to ACL policies	126
Activating changes to ACL policies	126
Adding a member to an existing policy	126
Removing a member from an ACL policy	127
Deleting an ACL policy	127
Aborting all uncommitted changes	127
Configuring the authentication policy for fabric elements	127
Figure 2 DH-CHAP authentication	128
E_Port authentication	129
Device authentication policy	130
Auth policy restrictions	130
Supported configurations	130
Selecting authentication protocols	131
Re-authenticating ports	131
Managing secret key pairs	132
Fabric wide distribution of the Auth policy	133
Accept distributions configuration parameter	133
IP filter policy	134
Creating an IP Filter policy	134
Cloning an IP Filter policy	134
Displaying an IP Filter policy	135
Saving an IP Filter policy	135
Activating an IP Filter policy	135
Deleting an IP Filter policy	136
IP Filter policy rules	136
Table 36 Supported services	137
Table 37 Implicit IP Filter rules	137
Table 38 Default IP policy rules (continued)	137
IP Filter policy enforcement	138
Creating IP Filter policy rules	138
Deleting IP Filter policy rules	139
Aborting a switch session transaction	139
IP Filter policy distributions	139
IP Filter policy restrictions	139
Distributing the policy database	140
Table 39 Interaction between fabric-wide consistency policy and distribution settings	140
Configuring the database distribution settings	141
Table 40 Supported policy databases	141
Distributing ACL policies to other switches	142
Table 41 ACL policy database distribution behavior	142
Setting the consistency policy fabric-wide	142
Table 42 Fabric-wide consistency policy settings	143
Notes on joining a switch to the fabric	144
Matching fabric-wide consistency policies	144
Table 43 Merging fabrics with matching fabric-wide consistency policies	145
Non-matching fabric-wide consistency policies	145
Table 44 Examples of strict fabric merges	145
Table 45 Fabric merges with tolerant/absent combinations	146
Managing administrative domains	147
About administrative domains	147
Figure 3 Fabric with two admin domains	148
Figure 4 Filtered fabric views	148
Admin domain features	148
Requirements for admin domains	149
User-defined Administrative domains	149
System-defined administrative domains	149
AD0	150
AD255	150
Figure 5 Fabric with AD0 and AD255	151
Admin domain access levels	151
Table 46 AD user types	151
Admin domains and login	152
Admin domain member types	152
Device members	152
Switch port members	153
Switch members	153
Admin Domains and switch WWN	154
Figure 6 Fabric showing switch and device WWNs	154
Figure 7 Filtered fabric views showing converted switch WWNs	155
Admin domain compatibility and availability	155
Admin domains and merging	155
Compatibility	155
Figure 8 Isolated subfabrics	156
Firmware upgrade and downgrade scenarios	156
Managing admin domains	156
Understanding the AD transaction model	157
Implementing admin domains	157
How to set the default zone mode	157
Creating an admin domain	158
How to create an Admin Domain	158
Assigning a user to an admin domain	159
How to create a new user account for managing Admin Domains	159
How to assign Admin Domains to an existing user account	159
How to create a new physical fabric administrator user account	160
Activating and deactivating admin domains	160
How to activate an Admin Domain	160
How to deactivate an Admin Domain	160
Adding and removing admin domain members	161
How to add members to an existing Admin Domain	161
How to remove members from an Admin Domain	161
Renaming an Admin Domain	161
How to rename an admin domain	161
Deleting an Admin Domain	162
How to delete an Admin Domain	162
Deleting all user-defined Admin Domains	162
How to clear all Admin Domain definitions	162
Validating an Admin Domain member list	163
How to list the switches and devices in an AD member list	163
Using Admin Domains	163
Using CLI commands in an AD context	163
Table 47 Ports and devices in CLI output	164
Executing a command in a different AD context	164
How to execute a command in a different Admin Domain context	164
Displaying an Admin Domain configuration	164
How to show an Admin Domain	165
Switching to a different Admin Domain context	165
How to switch to a new Admin Domain context	165
Performing zone validation	165
Admin Domain interactions	166
Table 48 Admin Domain interaction with Fabric OS features (continued)	166
Admin Domains, zones, and zone databases	167
Admin Domains and LSAN zones	168
Configuration upload and download in an AD context	168
Table 49 Configuration upload and download scenarios in an AD context	169
Installing and maintaining firmware	171
About the firmware download process	171
Upgrading and downgrading firmware	172
Effects of firmware changes on accounts and passwords	172
Table 50 Effects of firmware changes on accounts and passwords	172
Considerations for FICON CUP environments	173
Preparing for a firmware download	173
How to prepare for a firmware download	173
Checking connected switches	174
Obtaining and decompressing firmware	175
Performing firmware download on switches	175
Summary of the firmware download process	175
4/16 SAN Switch and 4/8 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, SAN Switch 4/32B, 4/64 SAN Switch and 400 M...	176
Summary of firmware downloads on Director models	178
Summary of the firmware download process for Directors	178
SAN Director 2/128 and 4/256 SAN Director firmware download procedure	178
Testing and restoring firmware on switches	182
Testing and restoring firmware-on Directors	184
Validating the firmware download	186
Troubleshooting firmware download	187
Downgrading firmware from Fabric OS 5.2.x	187
Pre-installation messages	188
Blade troubleshooting tips	199
Synchronizing firmware versions on partitions	199
FTP server recommendations	199
Configuring Directors	201
Identifying ports	201
Table 51 Port numbering schemes for the 4/256 SAN Director (continued)	201
By slot and port number	202
By port area ID	202
By index	203
Table 52 Default index/area_ID Core PID assignment with no port swap (continued)	203
Table 53 Default index/area extended-edge PID assignment with no port swap (continued)	205
Basic blade management	206
Powering port blades off and on	206
Disabling and enabling port blades	207
B-Series MP Router blade (FR4-18i) exceptions	207
FC4-48 blade exceptions	207
Conserving power	208
Blade terminology and compatibility	208
Table 54 Director terminology and abbreviations	208
CP blades	209
Port blade compatibility	209
Table 55 Blades Supported by Each Director	209
Setting chassis configuration options	209
Table 56 Supported configuration options	210
Table 57 Chassis configuration options	210
Obtaining slot information	210
Configuring a new SAN Director 2/128 with two domains	211
Converting an installed SAN Director 2/128 to support two domains	212
Setting the blade beacon mode	214
Routing traffic	215
About data routing and routing policies	215
Specifying the routing policy	215
Assigning a static route	216
Specifying frame order delivery	216
Using Dynamic Load Sharing	217
Viewing routing path information	218
Viewing routing information along a path	220
Using the FC-FC routing service	223
Supported platforms	223
Supported configurations	223
Fibre Channel routing concepts	224
Figure 9 A metaSAN with edge-to-edge and backbonef fabrics	224
Figure 10 A metaSAN with interfabric links	225
Figure 11 Edge SANs connected through a backbone fabric	227
Proxy devices	227
Figure 12 metaSAN with imported devices	227
Routing types	228
Fibre Channel NAT and phantom domains	228
Setting up the FC-FC routing service	229
Performing verification checks	229
Assigning backbone fabric IDs	230
Configuring FCIP tunnels (Optional)	231
Configuring FC-FC routing to work with Secure Fabric OS (optional)	231
Configuring Secure Fabric OS DH-CHAP secret	232
Configuring an interfabric link	233
portCfgExport options	234
Configuring the FC Router port cost (optional)	237
Using router port cost	237
Upgrade, downgrade, and HA considerations	238
Port cost considerations	238
Setting a proxy PID	239
Matching fabric parameters	239
Configuring EX_Port frame trunking (optional)	240
Supported configurations and platforms	240
High availability support	240
Backward compatibility support	240
Upgrade and downgrade considerations	241
Table 58 Trunking upgrade and downgrade considerations	241
Using EX_Port Frame trunking	241
Security considerations	241
Trunking commands	241
Configuring LSANs and zoning	242
Use of administrative domains with LSAN zones and FCR	242
Defining and naming zones	242
LSAN zones and fabric-to-fabric communications	243
LSAN zone binding (optional)	245
To set up LSAN zone binding	246
Dual backbone configuration	247
Maximum LSAN count	247
Configuring backbone fabrics for interconnectivity	248
HA and downgrade considerations:	248
IPFC over FCR	248
Broadcast configuration	248
Upgrade and downgrade considerations	249
Monitoring resources	249
Routing ECHO	251
Upgrade and downgrade considerations	251
Interoperability with legacy FCR switches	252
Backward compatibility	252
Table 59 Hardware and firmware compatibility for nonsecure fabrics	252
Administering FICON fabrics	253
Overview of Fabric OS support for FICON	253
Supported switches	254
Types of FICON configurations	254
Control Unit Port (CUP)	255
FICON commands	256
Table 61 Fabric OS commands related to FICON and FICON CUP	256
Security considerations	257
Configuring switches	257
Preparing a switch	258
Configuring a single switch	258
Configuring a high-integrity fabric	258
Figure 17 Cascaded configuration, two switches	259
Figure 18 Cascaded configuration, three switches	259
Setting a unique domain ID	259
Displaying information	260
Link incidents	260
Registered listeners	260
Node identification data	260
FRU failures	261
Swapping ports	261
Clearing the FICON management database	261

Match case Limit results 1 per page

Fabric OS 5.3.0 administrator guide

407

The following limitations apply to using IPSec:

•

IPv6, NAT, and AH are not supported.

•

You can only create a single secure tunnel on a port; you cannot create a nonsecure tunnel on the same

port as a secure tunnel.

•

IPSec specific statistics are not supported.

•

Fastwrite and tape pipelining cannot be used in conjunction with secure tunnels.

•

To change the configuration of a secure tunnel, delete the tunnel and re-create it with the desired

options.

•

Jumbo frames are not supported for IPSec.

•

There is no RAS message support for IPSec.

•

Only a single route is supported on an interface with a secure tunnel.

Configuring IPSec

IPSEC requires predefined configurations for IKE and IPSEC. You can enable IPSEC only when these

configurations are well-defined and properly created in advance.

The following steps provide an overview of the IPSec protocol. All of these steps require that the correct

policies have been created. Because policy creation is an independent procedure from FCIP tunnel

creation, you must know which IPSec configurations have been created. This ensures that you choose the

correct configurations when you enable an IPSEC tunnel.

•

Some traffic from an IPSec peer with the lower local IP addres

initiates the IKE negotiation process.

•

IKE negotiates SAs and authenticates IPSec peers during phase 1 that sets up a secure channel for

negotiation of phase 2 (IPSec) SAs.

•

IKE negotiates SA parameters, setting up matching SAs in the peers. Some of the negotiated SA

parameters include encryption and authentication algorithms, Diffie-Hellman group and SA lifetimes.

•

Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA

database.

•

IPSec tunnel termination. SA lifetimes terminate through deletion or by timing out.

The first step to configuring IPSec is to create a policy for IKE and a policy for IPSec. Once the policies

have been created, you assign the policies when creating the FCIP tunnel.

IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method.

Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can

begin.

IPSec policies are managed using the

policy

command.

You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted

and recreated in order to change the parameters. You can delete and recreate any policy as long as the

policy is not being used by an active FCIP tunnel.

Each FCIP tunnel is configured separately and may have the same or different IKE and IPSec policies as

any other tunnel. Only one IPSec tunnel can be configured for each GbE port

MAC

Message Authentication Code is a key-dependent, one-way hash function used

for generating and verifying authentication data.

HMAC

A stronger MAC because it is a keyed hash inside a keyed hash.

Security association is the collection of security parameters and authenticated

keys that are negotiated between IPSec peers.

Table 100

IPSec terminology

Term

Definition