HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002
HP StorageWorks 2/16V - SAN Switch Manual
View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals |
HP StorageWorks 2/16V manual content summary:
- HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 1
Secure Fabric OS Administrator's Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0 Publication Number: 53-1000244-01 Publication Date: 09/29/2006 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 2
service names are or may be trademarks or service marks of, and are used to identify, products or services of code, please visit http://www.brocade.com/support/oscd. Export of technical data contained in implement a more secure storage area network ("SAN"), as part of your overall network and - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 3
Brocade Communications Systems, Incorporated Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: [email protected] European and Latin American Headquarters Brocade Communications Switzerland Sàrl Centre - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 4
Guide. Document Title Secure Fabric OS User's Guide v2.6 Secure Fabric OS User's Guide v3.1.0/4.1.0 Secure Fabric OS User's Guide v2.6.2/3.1.2/4.2.0 Secure Fabric OS User's Guide Secure Fabric OS Administrator's Guide Secure Fabric OS Administrator's Guide procedure for downloading from Web support - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 5
Document How This Document Is Organized ix Supported Hardware and Software x What's New 1-2 Switch-to-Switch Authentication 1-3 Using PKI 1-3 Using DH-CHAP 1-4 Fabric Configuration Server Switches 1-4 Fabric 2-3 Secure Fabric OS Administrator's Guide v Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 6
a Supported CLI Client on a Workstation 2-28 Enabling Secure Fabric OS and Creating Policies Prerequisites to Enabling Secure Mode 3-1 Default Fabric and Switch Accessibility a Secure Fabric OS Transaction 3-29 vi Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 7
10 Using Temporary Passwords 4-11 Resetting the Version Number and Time Stamp 4-12 Adding Switches and Merging Fabrics with Secure Mode Enabled 4-13 Preventing a LUN Connection 4-17 Troubleshooting 4-17 Appendix A Removing Secure Fabric OS Capability Preparing the Fabric for Removal of Secure - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 8
viii Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 9
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.2.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0. "About - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 10
documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. does not support all versions. This document is specific to v5.2.0 To obtain information about an OS version other than refer to the documentation specific to that - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 11
guide are presented in mixed lettercase: for example, switchShow. In actual examples, command lettercase is often all lowercase. Otherwise, this manual specifically . Caution A caution alerts you to potential damage to hardware, firmware, software, or data. Warning A warning alerts you to potential - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 12
SAN-specific terms, visit the Storage Networking Industry Association online dictionary at http://www.snia.org/education/dictionary. Additional Information This section lists additional Brocade and industry-specific OS • Fabric OS Administrator's Guide • Fabric OS Command Reference • Fabric - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 13
Mount Kit Installation Procedure • Mid-Mount Rack Kit Installation Procedure SilkWorm 7500 • SilkWorm 7500 Hardware Reference Manual • SilkWorm 7500 QuickStart Guide • SilkWorm 7500 Fan Assembly Replacement Procedure • SilkWorm 7500 Power Supply Replacement Procedure SilkWorm 4900 • SilkWorm 4900 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 14
, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com Release notes are available on the Brocade Connect Web site and are also bundled with the Fabric OS firmware. Other Industry Resources In addition to this manual, the following information - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 15
Information • Technical Support contract number, if applicable • Switch model • Switch operating system version • Error numbers and messages received • supportSave command output • Detailed description of the problem and specific questions • Description of any troubleshooting steps already performed - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 16
: Provide the switch WWN. Use the switchShow command to display the switch WWN. • All other SilkWorm switches: Provide the switch WWN. Use the wwn command to display the switch WWN. Document suggestions for improvement. xvi Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 17
through a single switch • Create temporary passwords specific to a login account and switch • Enable and switch-to-switch authentication. Table 1-1 lists which switches and fabrics support Secure Fabric OS. Table 1-1 Secure Fabric OS-Supported Switches and Fabrics Fabric OS Versions Supported - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 18
Secure Shell (SSH) Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH, enabling fully encrypted telnet sessions. Use of SSH requires installation of upgrade switch firmware. For more information about SSH, see the Fabric OS Administrator's Guide. 1-2 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 19
configure command, see the Fabric OS Command Reference Manual. Switch-to-Switch Authentication Switch-to-switch authentication supports the following: • "Using PKI" on page described in this manual are specific to Secure Fabric OS. See the Fabric OS Administrator's Guide for information about - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 20
OS Command Reference Manual for details of the authUtil and secAuthSecret commands and see "Configuring Switch-to-Switch Authentication" on are not supported by older releases. FCS switches are specified by listing their WWNs in a specific policy called the FCS policy. The first switch that is - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 21
. Instead, the zoning information on the new switches is overwritten when the primary FCS switch downloads zoning to these switches, if secure mode is enabled on all of them. For more information about zoning, see the Fabric OS Administrator's Guide. For more information about merging fabrics, see - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 22
1 Secure Fabric OS supports the following policies: • FCS policy-Use to specify the primary FCS and backup FCS switches. This is the only required policy. • Management access control (MAC) policies-Use to restrict management access to switches. The following specific MAC policies are provided: - - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 23
2-22 for switch authentication protocol set up instructions. • Backup Fabric OS policies that are not compatible with Secure FOS; Fabric OS v5.1.0 and later password policies and v5.2.0 local SCC and DCC ACL polices are not supported. Secure Fabric OS Administrator's Guide 2-1 Publication Number - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 24
Fabric OS Administrator's Guide. Before enabling secure mode, install a supported CLI client on all network workstations that will be used to access the switch command line management interface. See "Installing a Supported CLI Client on a Workstation" on page 2-28 for detailed instructions. Note If - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 25
: 4.5.3 To upgrade the Fabric OS: The firmware upgrade process depends on the type of switch and management interface. See the Fabric OS Administrator's Guide for download instructions specific to the type of switch and management interface. Switches that already have a Secure Fabric OS license - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 26
and certificate display Empty, create the objects on the switch as describe in "Creating PKI Objects" on page 2-5, then follow the instructions in "Obtaining the Digital Certificate File" on page 2-7 and "Distributing Digital Certificates to the Switches" on page 2-13. • If any of the other objects - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 27
command on both logical switches. The pkiCreate command does not work if secure mode is already enabled. switch:admin> pkicreate Installing Private Key and Csr... Switch key pair and CSR generated... Installing Root Certificate... Secure Fabric OS Administrator's Guide 2-5 Publication Number: 53 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 28
Repeat for any other switches, as required. Removing switch according to the instructions provided in "Distributing Digital Certificates to the Switches switch. If you want secure mode enabled, you will need to get the switch is displayed: switch:admin> pkiremove This Switch is in secure mode - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 29
to collect certificate signing requests (CSRs) and install digital certificates on switches. The utility must be installed on a computer workstation. To install the PKICert utility on a Solaris workstation, follow the instructions provided in the PKICert utility ReadMe file. To install the PKICert - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 30
for information on SSL.) Note If this procedure is interrupted by a switch reboot, the CSR file is not generated and the procedure must be repeated. The examples in the guide are PC-specific. The PKICert utility can be used only in nonsecure mode to generate or install certificates. While performing - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 31
providing fabric addresses 1) Manually enter fabric address manually a. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch and password for this switch. c. Type the username is needed to get to all switches. Enter a list of one or - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 32
y Get CSRs even from switches with certificates (y/n)? > y Note If CSRs are retrieved and digital certificates are requested for switches that already have digital certificates, the same digital certificates are provided again. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 33
00:00:60:69:80:46:00 a) All Fabrics r) Return to Functions menu # Switches Principal 34 host1_sw0 enter your choice> 1 7. The utility displays the success or failure installation utility Enter choice> 2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-11 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 34
1) 10:00:00:60:69:11:f8:f9 a) All Fabrics r) Return to Functions menu # Switches ---------- 15 Principal ----------- sec237 enter your choice> 1 Once you finish, press Enter to return to Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 35
section, "Using the PKICert Utility to Obtain CSR". To load digital certificates onto one or more switches manually 1. On a PC, double-click pkicert.exe. The PKICert utility prompts for the events log fabric addresses. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-13 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 36
method for providing fabric addresses 1) Manually enter fabric address 2) Read addresses manually a. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch per fabric is needed to get to all switches. Enter a list of one or more IP - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 37
Choose a Fabric On Which to Operate Fabric World Wide Name 1) 10:00:00:60:69:80:46:00 a) All Fabrics r) Return to Functions menu # Switches ---------- 7. . . . Principal ----------host1_sw0 enter your choice> 1 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-15 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 38
. Note The sectelnet application can be used as soon as a digital certificate is installed on the switch. 8. Press Enter. The Functions menu is displayed. 9. Type q to quit the utility; then Enter choice> q QUIT? (y/n) y 2-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 39
Choose a method for providing fabric addresses 1) Manually enter fabric address 2) Read addresses from a file (name to be given) r) Return to Main menu Enter choice> 1 The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch name or IP address is required for - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 40
pki_v1.0.6 Choose a Fabric On Which to Operate Fabric World Wide Name 1) 10:00:00:60:69:50:0d:9f a) All Fabrics r) Return to Functions menu # Switches ---------- 2 Principal ----------- sec_edge_2 enter your choice> 1 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 41
want to quit. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) utility Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-19 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 42
CERT TO GET & INSTALL DIGITAL CERTIFICATIONS NOTE:This utility will only work with switches running a FAB-OS version that supports Fabric Security (e.g. >= v2.6, v3.2, v4.3) 1) Use PKI-Cert to data Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 43
option or for use as default for all switches given. Password: -p Password must accompany "-u UserLogin" if provided. It must be more than 5 characters. ----- END Of HELP with Batch Usage ----- Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-21 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 44
.4.0, v5.0.1, v5.1.0, and v5.2.0 use SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used when both - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 45
either while secure mode is enabled or not. Run the command on the switch you want to view or change. This section illustrates using the authUtil command for example, you enable the switch), switch authentication fails. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-23 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 46
secAuthSecret "--show". The output displays the WWN, domain ID, and name (if known) of the switches with defined shared secrets: WWN DId Name 10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c 1 switchA 2-24 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 47
switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch switch is configured to do DH-CHAP, it is performed whenever a port or a switch , or switch name ( Domain, or switch name (Leave blank > Enter WWN, Domain, or switch name (Leave blank when done - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 48
Secondary Partition: v4.0.2 3. If the firmware version is not Fabric OS v4.4.0 or later, back up the configuration and install Fabric OS v4.4.0 on both CPs. For instructions, see "Verifying Compatible Fabric OS Version" on page 2-2. 4. Log in to one logical switch and change the account passwords - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 49
on both logical switches. 7. Ensure that both logical switches have an Advanced Zoning license activated, as described in "Verifying or Activating Secure Fabric OS and Advanced Zoning Licenses" on page 2-3. 8. If the firmware was upgraded, perform the following steps: a. Download and install the - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 50
a secure form of telnet that is supported only for switches running Fabric OS v4.1.x or later. You can use SSH clients that support version 2 of the protocol (for example, OpenSSH or FSecure). See the Fabric OS Administrator's Guide for client installation instructions. sectelnet is provided on the - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 51
. This chapter includes the following sections: • "Default Fabric and Switch Accessibility," next • "Enabling Secure Mode" on page 3-2 • Troubleshooting" on page 4-17. Prerequisites to Enabling Secure Mode For more information on any of the following items, see Fabric OS Administrator's Guide - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 52
or SSH). - Any host can establish an HTTP connection to any switch in the fabric. - Any host can establish an API connection to any switch in the fabric. • Devices: - All device ports can access SES device's access. 3-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 53
not, the command also might request new passwords for secure mode. Caution Placing the two switches of a two-domain SilkWorm 24000 in separate fabrics is not supported if secure mode is enabled on one or both switches. Secure Fabric OS Administrator's Guide 3-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 54
as a digital certificate is installed on the switch. SSH can be used at any time; however download process fails, resolve the source of the problem and repeat the configDownload command. For information about troubleshooting the configuration download process, see the Fabric OS Administrator's Guide - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 55
that any zoning configuration downloads have completed on all switches in the fabric. For information specific to zoning, see the Advanced Zoning User's Guide for Fabric OS v2.6.x and v3.2.x, the Fabric OS Procedures Guide for Fabric OS v4.4.x, or the Fabric OS Administrator's Guide for Fabric OS v5 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 56
Switch Certificate, Security license and Zoning license to be installed on every switch closed and some switches may go through Switch Certificate, Security license and Zoning license to be installed on every switch closed and some switches may go through is enabled. switch:admin> The command requests active - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 57
configurations, and fastboots all Fabric OS v2.6.2 switches in the fabric. Note Record the passwords and store them in a secure place. Recovering passwords might require significant effort and result in fabric downtime. Secure Fabric OS Administrator's Guide 3-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 58
in the FCS policy if your primary FCS switch is running Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0 and using multiple user accounts (MUA) because Fabric OS v2.6.x does not support MUA. See the Fabric OS Administrator's Guide for more information on MUA. 3-8 Secure Fabric OS Administrator - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 59
position in the list of the FCS switch and To is the desired position in the list for this switch. For example, to move a backup FCS switch from position 2 to position 3 in :5a2 switch60. 4. Type secPolicyActivate. Secure Fabric OS Administrator's Guide 3-9 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 60
:1c1 fcsswitcha 2 No 10:00:00:00:00:00:22:2c2 fcsswitchb 4. From a sectelnet or SSH session, log in as admin to the backup FCS switch to be designated as the new primary FCS switch and type secFCSFailover. 3-10 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 61
policy changes frequently; changes are lost if the switch is rebooted before the changes are saved. Each supported policy is identified by a specific name, and only one policy of each type Fabric OS Command Reference. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-11 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 62
access to the fabric: • Access by hosts using SNMP, telnet/sectelnet/SSH, HTTP, API • Access by device ports using SCSI Enclosure Services (SES) or management server • Access through switch serial ports and front panels 3-12 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 63
can read Any host can write Any host can read No host can write Any host can read Only B can write This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created. No host can read No host can write Secure Fabric OS Administrator - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 64
Empty Host B in policy This combination is not supported. If the WSNMP policy is not defined, the RSNMP SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate "WSNMP_POLICY", logical switches on a two-domain SilkWorm 24000 addresses of the logical switches and to the standby - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 65
create these policies) to ensure that some form of management access is available to the switch. To restrict CLI access over the network to SSH, disable telnet as described in connections to the switches in the fabric. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-15 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 66
switch in the fabric. Policy with no entries No host can establish an HTTP/HTTPS connection to any switch any switch in the fabric. To create an HTTP log in to the primary FCS switch as admin. 2. Type secPolicyCreate "HTTP_POLICY HTTP connection to any switch in the fabric: primaryfcs:admin> - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 67
to the SES User's Guide for more information. The current SES implementation does not support the SES commands Read Buffer or Write Buffer for remote switches. To direct these commands to a switch that is not the primary FCS switch, designate that switch as the primary FCS switch and attach the SES - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 68
3 Note Only Fabric OS v2.6.2 supports the SES policy. Table 3-7 displays be performed only by requesters that are directly connected to the primary FCS switch. The policy is named MS_POLICY and contains a list of device port Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 69
and the switch is not switch as admin. 2. Type secPolicyCreate "SERIAL_POLICY", "member;...;member". member is a switch WWN, domain ID, or switch name. If a domain ID or switch name is used to specify a switch, the associated switch allows serial port access to a switch that has a WWN of 12:24 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 70
switch as admin. 2. Type secPolicyCreate "FRONTPANEL_POLICY", "member;...;member". member is a switch WWN, domain ID, or switch name. If a domain ID or switch name is used to specify a switch, the associated switch . 3-20 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 71
switch disable the switch then v5.2.0 supports local to which switch ports. switch ports; the same device ports and switch ports might be listed in multiple DCC policies. After a switch switch ports that are switch and are not enforced by the DCC policy. However, this does not create a security problem - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 72
, that device is only allowed access to the fabric if connected to a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that proxy device. 3-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 73
switch switch port information: deviceportWWN;switch(port): • deviceportWWN is the WWN of the device port. • switch can be the switch WWN, domain ID, or switch switch. .1.x and earlier switches have a 256 earlier switches may switch switch domain 2, and all currently connected devices of switch switch - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 74
switch domain 4: primaryfcs:admin> secpolicycreate "DCC_POLICY_example", "44:55:66:77:22:33:44:dd;33:44:55:66:77:11:22:cc;4[1-4]" DCC_POLICY_xxx has been created Creating an SCC Policy Note Fabric OS v5.2.0 supports 3-13. 3-24 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 75
OS Policies All Secure Fabric OS transactions must be performed through the primary FCS switch only, except for the secTransAbort, secFCSFailover, secStatsReset, and secStatsShow commands. You can the defined policy set. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-25 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 76
policy is closed to access by all devices/switches that are not listed in that policy. cannot be removed, because a primary FCS switch must be designated. • "Deleting a on page 3-29 From any switch in the fabric, abort a are lost if the switch reboots or the current the primary FCS switch as admin. - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 77
Secure Fabric OS policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyAdd "policy_name", "member;...;member". policy_name is the name of the Secure added to WSNMP_POLICY. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-27 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 78
Fabric OS policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyDelete "policy_name". policy_name is the name of the Secure Fabric OS The FCS_POLICY cannot be deleted. 3-28 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 79
OS transaction 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secTransAbort command: primaryfcs:admin> sectransabort Transaction has been aborted. entering this command). Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-29 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 80
3 3-30 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 81
" on page 4-8 • "Resetting the Version Number and Time Stamp" on page 4-12 • "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13 • "Preventing a LUN Connection" on page 4-17 • "Troubleshooting" on page 4-17 Viewing Secure Fabric OS Information You can display the following - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 82
Primary 10:00:00:60:69:22:32:83 3 Ready 192.168.100.135 "primaryfcs" Secured switches in the fabric: 3 Table 4-1 identifies the information that displays if secure mode is enabled. Table the specified policy set. 4-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 83
pagination. To display information about a specific Secure Fabric OS policy: 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secpolicyshow "listtype active and defined policy sets. Secure Fabric OS Administrator's Guide 4-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 84
the FCS policy. switch:admin> secmodeshow Secure Mode: ENABLED. Version Stamp: 9182, Wed Mar 13 16:37:01 2001. POS Primary WWN DId swName. 1 Yes 10:00:00:60:69:00:00:5a 21 switch47. 2 No 12:00:00:60:60:03:23:5b 5 switch12. 4-4 Secure Fabric OS Administrator's Guide Publication Number - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 85
secModeDisable on a non-FCS switch). INCOMP_DB Secure Fabric OS databases are incompatible; might be due to different (incompatible Secure Fabric version numbers, time stamps, FCS policies, or secure mode status. OS database) Secure Fabric OS Administrator's Guide 4-5 Publication Number: 53 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 86
A received packet has a time stamp that differs from the time of the receiving switch by more than the maximum allowed difference. LOGIN The number of invalid login attempts. not replicated to the standby CP. 4-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 87
The specified statistics are reset to 0. For example, to reset all statistics on a local switch: primaryfcs:admin> secstatsreset About to reset all security counters. Are you sure (yes, y, " Reset DCC_POLICY statistic. Secure Fabric OS Administrator's Guide 4-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 88
be created for specific switches, making it possible to provide temporary access to another user. • User password policies are not supported. To enable Secure mode, you must reset all password policies to the default settings. See Chapter 3 of the Fabric OS Administrator's Guide. The user account - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 89
all switches. Created for switch initialization Password is specific to each purposes; not recommended for switch; switches by creating a temporary password. Password is common to all FCS switches; can modify using passwd command on the primary FCS switch. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 90
. Secure mode must be enabled to use this command. To modify the admin password for non-FCS switches 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secNonFCSPasswd command. 4-10 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 91
are terminated. Using Temporary Passwords Create temporary passwords for default accounts to grant temporary access to a specific switch and login account without compromising the confidentiality of the permanent passwords; the permanent passwords also remain in effect. Temporary passwords can - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 92
secPolicySave or secPolicyActivate command. To display the version number and time stamp of a fabric 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secModeShow command. 4-12 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 93
secure fabric has a zero version stamp and the non-FCS switch has nonzero version stamp. For general information about merging fabrics and instructions for merging fabrics that are not in secure mode, refer to the Fabric OS Administrator's Guide. When MUAs are available, care is required when the - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 94
disabled. Segments unless FCS policies are identical. If identical, the switch is the primary FCS switch unless the other FCS switch is higher in the FCS policy. Segments unless FCS policies are in the merge process. 4-14 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 95
about PID modes, refer to the Fabric OS Administrator's Guide. 4. Ensure that the Management Server Platform Database Service is consistently enabled or disabled across all the switches to be merged. For information about management server support provided by Fabric OS, refer to the Fabric OS - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 96
Supported CLI Client on a Workstation" on page 2-28. 8. Enable secure mode on all switches to be merged by entering the secModeEnable command on the primary FCS switches the Fabric OS Administrator's Guide. 12. Verify that the fabric that contains the final primary FCS switch has a nonzero version - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 97
each switch in primary FCS switch is switch. If an edge fabric is connected to a fibre channel router, secModeEnable --quickmode is not supported. Troubleshooting switch that you want to become the primary FCS switch and specify the FCS switches switches has segmented from the fabric," - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 98
primary FCS role to a backup FCS switch. If no backup FCS switches are available, enter the secModeEnable command to specify a new primary FCS switch. Specify adequate backup FCS switches to prevent a recurrence. Troubleshoot the previous primary FCS switch as required. Cannot access a device or - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 99
primary FCS role to a backup FCS switch. If no backup FCS switches are available, enter the secModeEnable command to specify a new primary FCS switch. Specify adequate backup FCS switches to prevent a recurrence. Troubleshoot the previous primary FCS switch as required. Cannot access a device or - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 100
switch. Establish a sectelnet/SSH session to the IP addresses of the logical switches FCS switch to secModeEnable again on the segmented switch, using the same FCS , security data is not downloaded, and/or domain 1 default value. A switch has non-default supported by secure mode. On each switch - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 101
from the fabric. Note: For instructions on rejoining fabrics, refer to the instructions in "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13. SCC_POLICY is excluding the segmented switches. Management server services on the segmented switches are inconsistent with rest of - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 102
command, followed by secVersionReset and switchEnable. Unsaved changes to the The primary FCS switch policies are lost. might have failed over. Reenter the changes; then, enter sectelnet session and log back in. 4-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 103
secure mode or removing Fabric OS capability includes the addition of new switches to the fabric that do not support Secure Fabric OS. Disabling secure mode includes the following tasks: • of any security violations. Secure Fabric OS Administrator's Guide A-1 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 104
a sectelnet, SSH, or serial connection to the primary FCS switch. When secure mode is disabled, all temporary passwords are reset switches that were non-FCS switches, the root, factory, and admin passwords become the same as the non-FCS admin password. A-2 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 105
To deactivate the software license 1. Open a CLI connection (serial or telnet) to the switch. 2. Type the licenseShow command to display the Secure Fabric OS license key. Copy the the rm command to remove the folder. Secure Fabric OS Administrator's Guide A-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 106
A A-4 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 107
must be entered through the primary FCS switch. This appendix includes the following information: secure mode • Fail over the primary FCS switch • Create and modify Secure Fabric OS policies Fabric OS commands must be executed on the primary FCS switch when secure mode is enabled. For a list of - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 108
3-2. This command cannot be entered if secure mode is already enabled unless all the FCS switches have failed. Nonsecure mode Available in secure mode if no FCS switches are left Enter from intended primary FCS switch B-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 109
Switch Admin Password" on page 4-10. Secure mode Primary FCS switch switch 27. Primary FCS switch secPolicyAdd admin / Adds . Primary FCS switch secPolicyCreate admin / Switch Within the FCS Policy" on page 3-9. Secure mode Primary FCS switch switch Primary FCS switch secPolicyShow admin - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 110
(Continued) Command Role Description Secure Mode Which or Non- Switches Secure Mode? in Secure Mode? secStatsReset admin / Resets Secure . Secure mode Primary FCS switch; if not available, then nonFCS switch. B-4 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244- - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 111
B Secure Fabric OS Administrator's Guide B-5 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 112
OS Command Reference. Table B-2 Zoning Commands Command Primary FCS Backup FCS Non-FCS Switch Switch Switch aliAdd aliCreate Yes No No Yes No No aliDelete Yes No No aliRemove Yes No Yes No No B-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 113
recommended. The zoning and Secure Fabric OS configurations are not uploaded if entered on a non-FCS switch. date Yes Yes (read only) Yes (read only) date (except ACL does not display) Yes Secure Fabric OS Administrator's Guide B-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 114
Table B-3 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch msplClearDB Yes No No msplMgmtActivate Yes No No msplMgmtDeactivate cannot modify WWNs in secure mode) B-8 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 115
Fabric OS to a SilkWorm 24000 2-26 adding switches with secure mode enabled 4-13 API policy 3-17 about 2-22 C changing the position of a switch within the FCS policy 3-9 command passwd MAC policy 3-12 creating a temporary password for a switch 4-11 creating an Options policy 3-20 creating an - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 116
Routing 3-5, 3-24, 4-20 FCS policy changing the switch position 3-9 modifying 3-8 FCS switch, primary failover 3-10 FCS switches 1-4 fibre channel router 3-5, 3-24, 4-20 FMPS 1-5 Front Panel policy 3-20 H HTTP policy 3-15 I installing a supported CLI client on a computer orkstation 2-28 installing - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 117
viewing the database 4-2 WSNMP 3-13 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 policy set active 1-5 defined 1-5 member from a policy 3-28 removing a temporary password from a switch 4-12 resetting Secure Fabric OS statistics 4-7 resetting statistics 4-5 resetting the - HP StorageWorks 2/16V | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 118
support, Fibre Channel router 3-5, 3-24 switch-to-switch authentication CHAP 1-3 DH-CHAP 1-3 T telnet 1-3 Telnet policy 3-14 telnet, when available 2-28 temporary password creating 4-11 removing 4-12 using 4-11 troubleshooting Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01
Publication Number: 53-1000244-01
Publication Date:
09/29/2006
Secure Fabric OS
Administrator’s Guide
Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0