HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 20

1 Using DH-CHAP Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use Diffie-Hellman with ChallengeHandshake Authentication Protocol (DH-CHAP) shared secrets to provide switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric. (DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see "Using PKI"). It should be explicitly enabled to authenticate using DH-CHAP. Using the authUtil command, you can control which authentication protocols. You can specify that FCAP only, DH-CHAP only, or either be used. If either is permitted, the default order (FCAP, DHCHAP) is used. The actual protocol is selected during dynamic negotiation. DH-CHAP requires a pair of shared secret keys-shared secrets-between each pair of switches authenticating with DH-CHAP. Use the secAuthSecret command to manage shared secrets. See the Fabric OS Command Reference Manual for details of the authUtil and secAuthSecret commands and see "Configuring Switch-to-Switch Authentication" on page 2-22 for a basic procedure for configuring DH-CHAP. Fabric Configuration Server Switches Fabric configuration server (FCS) switches are one or more switches that are specified as "trusted" switches for managing Secure Fabric OS. These switches should be both electronically and physically secure. At least one FCS switch must be specified to act as the primary FCS switch, and one or more backup FCS switches are recommended to provide failover ability in case the primary FCS switch fails. If your primary FCS switch runs Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0 you should not use a Fabric OS v2.6.2 switch (or a switch running older versions of Fabric OS v3.x.x or v4.x.x) as a backup FCS switch. Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 introduce features, such as a larger secure database (128K in v3.2.0 and 256K in v4.4.0, v5.0.1, v5.1.0, and v5.2.0), multiple user account (MUA), RADIUS, password policies, and an SSL certificate, all of which are not supported by older releases. FCS switches are specified by listing their WWNs in a specific policy called the FCS policy. The first switch that is listed in this policy and participating in the fabric acts as the primary FCS switch; it distributes the following information to the other switches in the fabric: • Zoning configuration • Secure Fabric OS policies • Fabric password database • SNMP community strings • System date and time Note The role of the FCS switch is separate from the role of the principal switch, which assigns domain IDs. The role of the principle switch is not affected by whether secure mode is enabled. When secure mode is enabled, only the primary FCS switch can propagate management changes to the fabric. When a new switch joins the fabric, the primary FCS switch verifies the digital certificate; then it provides the current configuration, overwriting the existing configuration of the new switch. 1-4 Secure Fabric OS Administrator's Guide Publication Number 53-1000244-01