HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 55

Secure Fabric OS Administrator’s Guide

3-5

Publication Number: 53-1000244-01

3

2.

Ensure that any zoning configuration downloads have completed on all switches in the fabric.

For information specific to zoning, see the

Advanced Zoning User’s Guide

for Fabric OS v2.6.x and

v3.2.x, the

Fabric OS Procedures Guide

for Fabric OS v4.4.x, or the

Fabric OS Administrator’s

Guide

for Fabric OS v5.0.1, v5.1.0, or v5.2.0.

3.

Open a sectelnet or SSH connection to the switch that will be the primary FCS switch.

The login prompt is displayed.

4.

Log in to the switch.

5.

Terminate any other sectelnet or SSH connections to the fabric (when using the

secModeEnable

command, no other sessions should be active) and ensure that any other commands entered in the

current session have completed.

6.

Use the

secModeEnable

command to enable secure mode.

Several optional arguments are available. This step illustrates three forms of the command:

•

Type

secmodeenable --quickmode

.

•

Type

secmodeenable

.

This version invokes the command’s interactive mode; then, identify each FCS switch at the

prompts (as shown in the next example). Press

Enter

with no data to end the FCS list.

•

Type

secmodeenable "

fcsmember;...;fcsmember

"

.

fcsmember

is the domain ID, WWN, or switch name of the primary and backup FCS switches,

with the primary FCS switch listed first.

See the

Fabric OS Command Reference

for other forms of the

secModeEnable

command.

Note

Most Secure Fabric OS commands must be executed on the primary FCS switch. The

secModeEnable

command must be entered from a sectelnet or SSH connection.

Note

The

secModeEnable

command might fail if a switch running Fabric OS v2.6.x is in

the fabric. Fabric OS v2.6.x supports a maximum security database size of 16 Kb. If

you use

--lockdown=dcc

or

--quickmode

, a security database greater than 16 Kb

can be created. Enable security successful using other

secModeEnable

operands.

See the

Fabric OS Command Reference

for detailed command and operand

information.

Do not use the

secModeEnable --currentpwd

command until the passwords are

changed from the factory defaults by answering the password prompts during the

login.

Do not use

secModeEnable --quickmode

in Fabrics with a fibre channel router

connected.

Section	Page
About This Document	5
Chapter 1 Introducing Secure Fabric OS	5
Chapter 2 Preparing the Fabric for Secure Fabric OS	5
Chapter 3 Enabling Secure Fabric OS and Creating Policies	6
Chapter 4 Managing Secure Fabric OS	7
Appendix A Removing Secure Fabric OS Capability	7
Appendix B Secure Fabric OS Commands and Secure Mode Restrictions	7
Index	7
About This Document	9
How This Document Is Organized	9
Supported Hardware and Software	10
What’s New in This Document	10
Document Conventions	11
Text Formatting	11
Notes, Cautions, and Warnings	11
Key Terms	12
Additional Information	12
Brocade Resources	12
Other Industry Resources	14
Getting Technical Help	15
Document Feedback	16
Introducing Secure Fabric OS	17
Management Channel Security	18
Switch-to-Switch Authentication	19
Using PKI	19
Using DH-CHAP	20
Fabric Configuration Server Switches	20
Fabric Management Policy Set	21
Preparing the Fabric for Secure Fabric OS	23
Prerequisites for a Secure Fabric Environment	23
Verifying Compatible Fabric OS Version	24
Verifying or Activating Secure Fabric OS and Advanced Zoning Licenses	25
Verifying the Digital Certificate	26
Displaying the Digital Certificate Status	26
Creating PKI Objects	27
Removing PKI Objects	28
Obtaining the Digital Certificate File	29
Configuring Switch-to-Switch Authentication	44
Selecting Authentication Protocols	45
Managing Shared Secrets	46
Preparing SilkWorm 24000 for Secure Fabric OS	48
Installing a Supported CLI Client on a Workstation	50
Enabling Secure Fabric OS and Creating Policies	51
Prerequisites to Enabling Secure Mode	51
Default Fabric and Switch Accessibility	52
Enabling Secure Mode	52
Modifying the FCS Policy	58
Changing the Position of a Switch Within the FCS Policy	59
Failing Over the Primary FCS Switch	60
Creating Secure Fabric OS Policies Other Than the FCS Policy	61
Creating a MAC Policy	62
Creating an Options Policy	70
Creating a DCC Policy	71
Creating an SCC Policy	74
Managing Secure Fabric OS Policies	75
Saving Changes to Secure Fabric OS Policies	76
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	77
Removing a Member from a Policy	78
Deleting a Policy	78
Aborting All Uncommitted Changes	79
Aborting a Secure Fabric OS Transaction	79
Managing Secure Fabric OS	81
Viewing Secure Fabric OS Information	81
Displaying General Secure Fabric OS Information	82
Viewing the Secure Fabric OS Policy Database	82
Displaying Individual Secure Fabric OS Policies	83
Displaying Status of Secure Mode	84
Displaying and Resetting Secure Fabric OS Statistics	85
Displaying Secure Fabric OS Statistics	86
Resetting Secure Fabric OS Statistics	87
Managing Passwords	88
Modifying Passwords in Secure Mode	90
Using Temporary Passwords	91
Resetting the Version Number and Time Stamp	92
Adding Switches and Merging Fabrics with Secure Mode Enabled	93
Preventing a LUN Connection	97
Troubleshooting	97
Removing Secure Fabric OS Capability	103
Preparing the Fabric for Removal of Secure Fabric OS Policies	103
Disabling Secure Mode	104
Deactivating the Secure Fabric OS License on Each Switch	105
Uninstalling Related Items from the Host	105
Secure Fabric OS Commands and Secure Mode Restrictions	107
Secure Fabric OS Commands	107
Command Restrictions in Secure Mode	112
Zoning Commands	112
Miscellaneous Commands	113
Index	115
A	115
C	115
D	116
E	116
F	116
H	116
I	116
J	116
L	116
M	116
N	116
O	117
P	117
R	117
S	117
T	118
U	118
V	118
W	118

HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 55

Advanced Zoning User's Guide, Fabric OS Procedures Guide, Fabric OS Administrator's, Guide, fcsmember

Page 55 highlights