HP StorageWorks 2/24 FW 07.00.00/HAFM SW 08.06.00 McDATA Products in a SAN Env - Page 223
Manager EFCM, SANavigator, CLI, and SANpilot management, Port DHCHAP authentication, CT authentication
View all HP StorageWorks 2/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 223 highlights
Physical Planning Considerations 5 The fabric element transmits a random value (used only once), an ID value (incremented at each login), and a shared CHAP secret (16-byte random value) to the server. The server concatenates the random value, ID value, and CHAP secret, and calculates a oneway message digest (also called a hash value). The hash value is transmitted to the authenticator (fabric element). The fabric element then builds the same concatenated string and compares the result with the value received from the server. If the values match, the connection is authenticated. • Port DHCHAP authentication - Enhanced security for device connections and ISLs is provided through Diffie-Hellman challenge handshake authentication protocol (DHCHAP). A fabric element uses DHCHAP to authenticate any device (node) that attempts a node port (N_Port) connection and any director or switch that attempts an expansion port (E_Port) connection. This ensures only authorized devices can be added to the fabric. DHCHAP is an authentication protocol based on transmission of a one-way hash value (comprised of a sequentially-incremented ID value and CHAP secret). Because the hash cannot be reversed to discover the CHAP secret, the protocol provides protection from discovery through the network. • CT authentication - Common transport (CT) authentication authorizes management server access to fabric elements through the open-system management server (OSMS) interface. The feature is software-enforced and allows an attached fabric to authenticate the OSMS management application. A single shared secret is configured for each fabric-attached director or switch (because OSMS is a fabric service that assumes all attached fabric elements are authenticated). The same secret is used by the management application. • PCP user database - All authentication users are configured in a product control point (PCP) user database. The database includes usernames, passwords, and authorized interfaces for management server and device access. The database controls password authentication for Enterprise Fabric Connectivity Manager (EFCM), SANavigator, CLI, and SANpilot management interfaces. The database also controls CHAP and CT authentication for Fibre Channel ports. Physical Planning Considerations 5-17