HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 19

Switch-to-Switch Authentication, Using PKI

Get HP StorageWorks 2/16V - SAN Switch PDF manuals and user guides View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals

Page 19 highlights

1 sectelnet The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 include the sectelnet server; the sectelnet client must be installed on the workstation computer. The sectelnet client can be used as soon as a digital certificate is installed on the switch. sectelnet access is configurable by the Telnet policy. Telnet Standard telnet is not available when secure mode is enabled. To remove all telnet access to the fabric, disable telnet through the telnetd option of the configure command. This configure option does not require disabling the switch. For more information about the configure command, see the Fabric OS Command Reference Manual. Switch-to-Switch Authentication Switch-to-switch authentication supports the following: • "Using PKI" on page 1-3 • "Using DH-CHAP" on page 1-4 on Note A secure edge fabric that is connected to a Fibre Channel router (such as the SilkWorm 7500) can use only DH-CHAP authentication. Using PKI Secure Fabric OS can use digital certificates based on public key infrastructure (PKI) and switch WWNs and the SLAP or FCAP protocols to identify the authorized switches and prevent the addition of unauthorized switches to the fabric. A PKI certificate installation utility (PKICert) is provided for generating certificate signing requests (CSRs) and installing digital certificates on switches. For information about how to use the PKICert utility, see "Using the PKICert Utility to Obtain CSR" on page 2-8. Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used instead of SLAP when both switches support it. PKI authentication automatically uses SLAP when a switch does not support FCAP. Note Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 also use PKI digital certificates. Secure Fabric OS and secure sockets layer (SSL) use different digital certificates and different methods of obtaining and installing the certificates. PKI digital certificates are used for the secure fabric, and SSL digital certificates are not. The methods described in this manual are specific to Secure Fabric OS. See the Fabric OS Administrator's Guide for information about SSL and digital certificates. Secure Fabric OS Administrator's Guide 1-3 Publication Number 53-1000244-01

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
Secure Fabric OS Administrator’s Guide
1-3
Publication Number 53-1000244-01
1
sectelnet
The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your
switch supplier. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 include the sectelnet server; the sectelnet
client must be installed on the workstation computer.
The sectelnet client can be used as soon as a digital certificate is installed on the switch. sectelnet access
is configurable by the Telnet policy.
Telnet
Standard telnet is not available when secure mode is enabled.
To remove all telnet access to the fabric, disable telnet through the
telnetd
option of the
configure
command. This configure option does not require disabling the switch. For more information about the
configure
command, see the
Fabric OS Command Reference Manual
.
Switch-to-Switch Authentication
Switch-to-switch authentication supports the following:
“Using PKI”
on page 1-3
“Using DH-CHAP”
on page 1-4
Using PKI
Secure Fabric OS can use digital certificates based on public key infrastructure (PKI) and switch
WWNs and the SLAP or FCAP protocols to identify the authorized switches and prevent the addition of
unauthorized switches to the fabric. A PKI certificate installation utility (PKICert) is provided for
generating certificate signing requests (CSRs) and installing digital certificates on switches. For
information about how to use the PKICert utility, see
“Using the PKICert Utility to Obtain CSR”
on
page 2-8.
Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used
instead of SLAP when both switches support it. PKI authentication automatically uses SLAP when a
switch does not support FCAP.
on
Note
A secure edge fabric that is connected to a Fibre Channel router (such as the SilkWorm 7500) can use
only DH-CHAP authentication.
Note
Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 also use PKI digital certificates. Secure Fabric OS and
secure sockets layer (SSL) use different digital certificates and different methods of obtaining and
installing the certificates. PKI digital certificates are used for the secure fabric, and SSL digital
certificates are not. The methods described in this manual are specific to Secure Fabric OS. See the
Fabric OS Administrator’s Guide
for information about SSL and digital certificates.