HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 18

1 Management Channel Security Secure Fabric OS can be used to provide policy-based access control of local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, and management server. Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP, management server, HTTP, and API. Fabric Manager, Web Tools, and API all use both HTTP and API to access the switch. To use any of these management tools to access a fabric that has secure mode enabled, ensure that the workstation computers can access the fabric by both API and HTTP. If an API or HTTP policy has been created, it must include the IP addresses of all the workstation computers. After a digital certificate has been installed on the switch, Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether Secure Fabric OS is enabled. Note The Telnet button in Web Tools can be used to launch telnet only (not sectelnet or SSH); it is disabled when secure mode is enabled. On two-domain directors, messages (such as notifications of password changes) that are sent to the whole secure fabric are seen on both domains, even if the other domain is not part of the secure fabric. Secure Shell (SSH) Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH, enabling fully encrypted telnet sessions. Use of SSH requires installation of a SSH client on the host computer; use of SSH does not require a digital certificate on the switch. SSH access is configurable by the Telnet Policy that is available through Secure Fabric OS. However, Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH whether or not Secure Fabric OS is licensed. To restrict CLI access to SSH over the network, disable telnet as described in "Telnet" on page 1-3 later in this section. SSH clients are available in the public domain and can be located by searching the Internet. Use clients that support version 2 of the protocol, such as OpenSSH or F-Secure. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 also support the following ciphers for session encryption and HMACs (hash function-based message authentication codes): • ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4 • HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, and HMACMD5-96 Note The first time a SSH client is launched, a message is displayed, indicating that the server's host key is not cached in the registry. You will also see this message the first time a SSH client is launched after you upgrade switch firmware. For more information about SSH, see the Fabric OS Administrator's Guide. 1-2 Secure Fabric OS Administrator's Guide Publication Number 53-1000244-01