Home » HP Manuals » Storage Devices » HP StorageWorks 2/16V » Manual Viewer

HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.X Procedures User Guide (AA- - Page 46

Configuring the RADIUS server, display a switch IP address.

View all HP StorageWorks 2/16V manuals

Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

Configure at least two RADIUS servers so that if one fails, the other assumes service. You can set the configuration with both RADIUS service and local authentication enabled so that if all RADIUS servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to the RADIUS server, nor do they affect any account on the RADIUS server. When RADIUS is set up for a fabric that contains a mix of switches with and without RADIUS support, the way a switch authenticates users depends on whether a RADIUS server is set up for that switch. For a switch with RADIUS support and configuration, authentication bypasses the local password database. For a switch without RADIUS support or configuration, authentication uses the switch's local account names and passwords. • When Secure Fabric OS secure mode is enabled, the following behaviors apply: • Account passwords stored in the switch-local password database are distributed among all switches in the same fabric. RADIUS configuration is not affected. • There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a RADIUS server cannot access FCS switches, even if the account is properly authenticated. • If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the switch grants the user admin role privileges. • The following behaviors apply to Advanced Web Tools: • Advanced Web Tools client and server keep a session open after a user is authenticated. A password change on a switch invalidates an open session and requires the user to log in again. When integrated with RADIUS, a switch password change on the RADIUS server does not invalidate an existing open session, although a password change on the local switch does. • If you cannot log in because of a RADIUS server connection problem, Advanced Web Tools displays a message indicating server outage. Configuring the RADIUS server You must know the switch IP address or name to connect to switches. Use the ipAddrShow command to display a switch IP address. For HP StorageWorks SAN Directors (chassis-based systems), the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in such systems, use the CP blade IP addresses. For accessing both the active and standby CP blade, and for the purpose of HA failover, both of the CP blade IP addresses should be included in the RADIUS server configuration. User accounts should be set up by their true network-wide identity, rather than by the account names created on a Fabric OS switch. Along with each account name, assign appropriate switch access roles. To manage a nonsecure fabric, these roles can be user or admin. To manage a secure fabric, these roles can be user, admin, or nonfcsadmin. When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names and passwords at the prompt. After RADIUS server authenticates a user, it responds with the assigned switch role in an HP Vendor-Specific Attribute (VSA), as defined in the RFC. An Authentication-Accept response without such VSA role assignment, assigns the user role. The following sections describe how to configure a RADIUS server to support HP clients under different operating systems. 46 Configuring standard security features

Section	Page
Contents	3
Intended audience	13
Related documentation	13
HP StorageWorks Fabric OS 5.x master glossary	13
Document conventions and symbols	14
Table 1 Document conventions	14
HP technical support	14
HP-authorized reseller	15
Helpful web sites	15
Introducing Fabric OS CLI procedures	17
About procedural differences	17
Scope and references	17
About the CLI	18
Help information	18
Displaying command help	18
Additional help topics	19
Performing basic configuration tasks	21
Connecting to the Command Line Interface	21
Setting the IP address	22
Setting the default account passwords	22
Table 2 Maximum number of simultaneous sessions	22
Setting the date and time	24
Table 3 Conversion from UTC to local time	26
Maintaining licensed features	26
Customizing the switch name	28
Customizing the chassis name	29
Disabling and enabling a switch	29
Disabling and enabling a port	30
Activating Ports on Demand	30
Making basic connections	31
Connecting to devices	31
Connecting to other switches	31
Working with domain IDs	32
Linking through a gateway	33
Checking status	34
Tracking and controlling switch changes	35
Configuring standard security features	39
Secure protocols	39
Table 4 Secure protocol support	39
Table 5 Items needed to deploy secure protocols	39
Table 6 Main security scenarios	40
Ensuring network security	40
Configuring the telnet interface	41
Blocking listeners	42
Table 7 Blocked listener applications	42
Accessing switches and fabrics	42
Table 8 Access defaults	42
Creating and maintaining user-defined accounts	43
Changing an account password	45
Setting up RADIUS AAA service	45
Configuring the RADIUS server	46
Configuring the switch	50
Enabling and disabling local authentication	52
Configuring for the SSL protocol	52
Browser and Java support	53
Summary of SSL procedures	53
Table 9 SSL certificate files	53
Choosing a CA	54
Generating a public/private key	54
Generating and storing a CSR	54
Obtaining certificates	55
Installing a switch certificate	55
Activating a switch certificate	56
Configuring the browser	56
Installing a root certificate to the Java Plug-in	57
Displaying and deleting certificates	57
Table 10 Commands to display and delete SSL certificates	57
Troubleshooting certificates	58
Table 11 SSL messages and actions	58
Configuring SNMP agent and traps	58
Setting the security level	59
Using the snmpConfig command	59
Using legacy commands for SNMPv1	62
Configuring secure file copy	67
Setting the boot PROM password	67
Without a recovery string	69
Recovering forgotten passwords	71
Maintaining configurations and firmware	73
Maintaining configurations	73
Displaying configuration settings	73
Backing up a configuration	73
Restoring a configuration	74
Restoring configurations in a FICON environment	75
Table 12 Backup and restore in a FICON CUP environment	75
Downloading configurations across a fabric	76
Printing hard copies of switch information	76
Maintaining firmware	76
Obtaining and unzipping firmware	76
Checking connected switches	77
Table 13 Recommended firmware	78
About the download process	78
Table 14 Effects of firmware changes on accounts and passwords	79
Upgrading HP StorageWorks switches	79
Upgrading HP StorageWorks directors	82
Troubleshooting firmware downloads	85
Configuring Core Switch 2/64, SAN Director 2/128, and 4/256 SAN Director	87
Identifying ports	87
By slot and port number	87
By port area ID	88
Basic blade management	88
Powering port blades off and on	88
Disabling and enabling port blades	89
Conserving power	89
Blade terminology and compatibility	89
Table 15 HP StorageWorks director terminology and abbreviations	90
CP blades	90
Port blade compatibility	91
Table 16 Blades supported by each HP StorageWorks director	91
Setting chassis configurations	91
Table 17 Supported configuration options	91
Obtaining slot information	92
Configuring a new SAN Director 2/128 with two domains	93
Converting an installed SAN Director 2/128 to support two domains	94
Setting the blade beacon mode	95
Routing traffic	97
About data routing and routing policies	97
Specifying the routing policy	97
Assigning a static route	98
Specifying frame order delivery	98
Using DLS	99
Viewing routing path information	100
Viewing routing information along a path	102
Administering FICON fabrics	105
FICON overview	105
Table 18 Fabric OS commands related to FICON and FICON CUP	107
Configuring switches	108
Preparing a switch	108
Configuring a single switch	108
Configuring a high-integrity fabric	109
Figure 1 Cascaded configuration with two switches	109
Figure 2 Cascaded configuration with three switches	109
Setting a unique domain ID	109
Displaying information	110
Link incidents	110
Registered listeners	110
Node identification data	110
FRU failures	111
Swapping ports	111
Clearing the FICON management database	111
Using FICON CUP	111
Setup summary	112
Enabling and disabling FMS mode	112
Displaying the fmsmode setting	113
Displaying mode register bit settings	113
Table 19 FICON CUP mode register bits	114
Setting mode register bits	114
Persistently enabling and disabling ports	115
Port and switch naming standards	116
Adding and removing FICON CUP licenses	116
Zoning and PDCM considerations	116
Backing up and restoring configurations	116
Troubleshooting	116
Identifying ports	117
Backing up FICON files	118
Recording configuration information	118
Figure 3 FICON switch configuration worksheet	119
Configuring the Distributed Management Server	123
Enabling and disabling the platform services	123
Controlling access	124
Configuring the server database	126
Controlling topology discovery	127
Working with diagnostic features	129
Viewing POST	129
Viewing switch status	130
Viewing port information	132
Table 20 Port error summary description	134
Viewing equipment status	135
Viewing the system message log	136
Viewing the port log	137
Table 21 Commands for port log management	137
Configuring for syslogd	138
Configuring the host	138
Table 22 Fabric OS and UNIX message severities	138
Configuring the switch	139
Viewing and saving diagnostic information	140
Setting up automatic trace dump transfers	140
Troubleshooting	143
Most common problem areas	143
Table 23 Common troubleshooting problems and tools	143
Gathering information for technical support	144
Troubleshooting questions	144
Analyzing connection problems	145
Restoring a segmented fabric	148
Correcting zoning setup issues	149
Table 24 Types of zone discrepancies	149
Table 25 Commands for debugging zoning	150
Recognizing MQ errors	151
Correcting I2C bus errors	151
Correcting device login issues	152
Identifying media-related issues	155
Table 26 Component test descriptions	156
Table 27 Switch component tests	157
Correcting link failures	157
Table 28 Switchshow output and suggested action	159
Correcting marginal links	159
Table 29 Loopback modes	160
Inaccurate information in the system message log	161
Port initialization and FCP auto-discovery process	161
Administering extended fabrics	163
About extended link buffer allocation	163
SAN Switch 2/8V, SAN Switch 2/16V, and SAN Switch 2/32, Core Switch 2/64, SAN Director 2/128, and 4/256 SAN Director (FC2-16 port blades)	163
Brocade 4Gb SAN Switch for HP p-Class BladeSystem, SAN Switch 4/32, and 4/256 SAN Director (FC4-16 and FC4-32 port blades)	163
Fabric considerations	163
Choosing an extended ISL mode	164
Table 30 Extended ISL modes: switches with Bloom ASIC	164
Table 31 Extended ISL modes: switches with Goldeneye ASIC	164
Table 32 Extended ISL modes: switches with Condor ASIC.	165
Configuring an extended ISL	165
Trunking over distance	166
Administering ISL trunking	167
About ISL trunking	167
Figure 4 Distribution of traffic over ISL trunking groups	167
Standard trunking criteria	168
Fabric considerations	168
Initializing trunking on ports	169
Monitoring traffic	169
Enabling and disabling ISL trunking	171
Setting port speeds	171
Displaying trunking information	173
Trunking over extended fabrics	173
Troubleshooting trunking problems	174
Listing link characteristics	174
Recognizing buffer underallocation	174
Administering advanced zoning	177
Zoning terminology	177
Figure 5 Zoning example	177
Zoning concepts	178
Zone types	178
Table 33 Types of zoning	178
Table 34 Approaches to fabric-based zoning	179
Zone objects	179
Zone aliases	180
Zone configurations	180
Zoning enforcement	181
Table 35 Enforcing hardware zoning	182
Figure 6 Hardware-enforced non-overlap ping zones	183
Figure 7 Hardware-enforced overlapping zones	183
Figure 8 Zoning with hardware assist (mixed-port and WWN zones)	184
Figure 9 Session-based hard zoning	184
Rules for configuring zones	184
Creating and managing zone aliases	185
Creating and maintaining zones	187
Table 36 Resulting database size: 0 to 96K	189
Table 37 Resulting database size: 96K to 128K	189
Table 38 Resulting database size: 128K to 256K	190
Table 39 Resulting database size: 256K to 1M	190
Creating and modifying zoning configurations	190
Maintaining zone objects	193
Managing zoning configurations in a fabric	195
Table 40 Zoning database limitations	195
Adding a new switch or fabric	195
Splitting a fabric	197
Using zoning to administer security	197
Resolving zone conflicts	197
Table 41 Considerations for zoning architecture	198
Administering advanced performance monitoring	199
Table 42 Advanced performance monitoring commands	199
Displaying and clearing the CRC error count	200
Monitoring EE performance	201
Adding EE monitors	201
Figure 10 Setting EE monitors on a port	202
Figure 11 Proper placement of EE performance monitors	202
Setting a mask for EE monitors	202
Figure 12 Mask positions for EE monitors	203
Deleting EE monitors	204
Monitoring filter-based performance	204
Adding standard filter-based monitors	205
Table 43 Commands to add filter-based monitors	205
Adding custom filter-based monitors	205
Table 44 Predefined values at offset 0	206
Monitoring ISL performance	207
Monitoring trunks	207
Displaying monitor counters	207
Clearing monitor counters	209
Saving and restoring monitor configurations	211
Collecting performance data	211
Configuring the PID format	213
About PIDs and PID binding	213
Summary of PID formats	213
Impact of changing the fabric PID format	213
Host reboots	214
Static PID mapping errors	214
Changes to configuration data	214
Table 45 Effects of PID format changes on configurations	215
Selecting a PID format	215
Table 46 PID format recommendations for adding new switches	216
Evaluating the fabric	216
Planning the update procedure	218
Online update	218
Offline update	218
Hybrid update	219
Changing to Core PID format	219
Changing to Extended Edge PID format	220
Table 47 Earliest Fabric OS versions for Extended Edge PID format	220
Converting port number to area ID	222
Figure 13 4/256 SAN Director with Extended Edge PID	223
PID format changes	224
Executing the basic procedure	224
Executing the HP-UX procedure	225
Executing the AIX procedure	227
Swapping port area IDs	227
Configuring interoperability mode	229
Using the HP Remote Switch feature	231
Understanding legacy password behavior	233
Password management information	233
Table 48 Account and password characteristics matrix	233
Password prompting behaviors	234
Table 49 Password prompting matrix	234
Password migration during firmware changes	235
Table 50 Password migration behavior during firmware upgrade and downgrade	235
Password recovery options	236
Table 51 Password recovery options	236
Zone merging scenarios	237
Table 52 Zone merging scenarios	237
Upgrading firmware in single-CP mode	239
Index	243
A	243
B	243
C	243
D	244
E	244
F	244
G	245
H	245
I	245
J	245
K	245
L	245
M	245
N	245
O	245
P	245
R	246
S	246
T	247
U	247
V	247
W	247

Match case Limit results 1 per page

Configuring standard security features

Configure at least two RADIUS servers so that if one fails, the other assumes service. You can set the

configuration with both RADIUS service and local authentication enabled so that if all RADIUS servers do

not respond (because of power failure or network problems), the switch uses local authentication.

Consider the following effects of the use of RADIUS service on other Fabric OS features:

•

When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The

Fabric OS mechanisms for changing switch passwords remain functional; however, such changes

affect only the involved switches locally. They do not propagate to the RADIUS server, nor do they

affect any account on the RADIUS server.

When RADIUS is set up for a fabric that contains a mix of switches with and without RADIUS support,

the way a switch authenticates users depends on whether a RADIUS server is set up for that switch. For

a switch with RADIUS support and configuration, authentication bypasses the local password

database. For a switch without RADIUS support or configuration, authentication uses the switch’s local

account names and passwords.

•

When Secure Fabric OS secure mode is enabled, the following behaviors apply:

•

Account passwords stored in the switch-local password database are distributed among all

switches in the same fabric. RADIUS configuration is not affected.

•

There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a

RADIUS server cannot access FCS switches, even if the account is properly authenticated.

•

If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the switch

grants the user admin role privileges.

•

The following behaviors apply to Advanced Web Tools:

•

Advanced Web Tools client and server keep a session open after a user is authenticated. A

password change on a switch invalidates an open session and requires the user to log in again.

When integrated with RADIUS, a switch password change on the RADIUS server does not

invalidate an existing open session, although a password change on the local switch does.

•

If you cannot log in because of a RADIUS server connection problem, Advanced Web Tools

displays a message indicating server outage.

Configuring the RADIUS server

You must know the switch IP address or name to connect to switches. Use the

ipAddrShow

command to

display a switch IP address.

For HP StorageWorks SAN Directors (chassis-based systems), the switch IP addresses are aliases of the

physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches

in such systems, use the CP blade IP addresses. For accessing both the active and standby CP blade, and

for the purpose of HA failover, both of the CP blade IP addresses should be included in the RADIUS server

configuration.

User accounts should be set up by their true network-wide identity, rather than by the account names

created on a Fabric OS switch. Along with each account name, assign appropriate switch access roles.

To manage a nonsecure fabric, these roles can be user or admin. To manage a secure fabric, these roles

can be user, admin, or nonfcsadmin.

When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names

and passwords at the prompt. After RADIUS server authenticates a user, it responds with the assigned

switch role in an HP Vendor-Specific Attribute (VSA), as defined in the RFC. An Authentication-Accept

response without such VSA role assignment, assigns the user role.

The following sections describe how to configure a RADIUS server to support HP clients under different

operating systems.