HP StorageWorks 2/16V Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 67

3 API Policy The API policy can be used to specify which workstations can use API to access the fabric and which ones can write to the primary FCS switch. The policy is named API_POLICY and contains a list of the IP addresses that are allowed to establish an API connection to switches in the fabric. Table 3-6 displays the possible API policy states. Table 3-6 API Policy States Policy State Characteristics No policy All workstations can establish an API connection to any switch in the fabric. Policy with no entries No host can establish an API connection to any switch in the fabric. Policy with entries Only specified hosts can establish an API connection to any switch in the fabric, and write operations can only be performed on the primary FCS switch. To create an API policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate "API_POLICY", "member;...;member". member is one or more IP addresses in dot-decimal notation. "0" can be entered in an octet to indicate that any number can be matched in that octet. 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see "Saving Changes to Secure Fabric OS Policies" on page 3-26 and "Activating Changes to Secure Fabric OS Policies" on page 3-27. For example, to create an API policy to allow anyone on the network with an IP address of 192.168.5.0 (where "0" can be any number) to establish an API connection to any switch in the fabric: primaryfcs:admin> secpolicycreate "API_POLICY", "192.168.5.0" API_POLICY has been created. SES Policy The SES policy can be used to restrict which devices can be managed by SES commands. The policy is named SES_POLICY and contains a list of device port WWNs that are allowed to access SES and from which SES commands are accepted and acted upon. If secure mode is enabled, the SES client must be directly attached to the primary FCS switch. Then the SES client can be used to manage all the switches in the fabric through the SES product for SilkWorm switches. Refer to the SES User's Guide for more information. The current SES implementation does not support the SES commands Read Buffer or Write Buffer for remote switches. To direct these commands to a switch that is not the primary FCS switch, designate that switch as the primary FCS switch and attach the SES client directly to it. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-17