HP StorageWorks 2/32 Brocade Secure Fabric OS Administrator's Guide (53-100024
HP StorageWorks 2/32 - SAN Switch Manual
View all HP StorageWorks 2/32 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP StorageWorks 2/32 manual content summary:
- HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 1
Secure Fabric OS Administrator's Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0 Publication Number: 53-1000244-01 Publication Date: 09/29/2006 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 2
service names are or may be trademarks or service marks of, and are used to identify, products or services of source code, please visit http://www.brocade.com/support/oscd. Export of technical data contained implement a more secure storage area network ("SAN"), as part of your overall network and - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 3
Communications Systems, Incorporated Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: [email protected] European and Latin American Headquarters Brocade Communications Switzerland Sàrl Centre Swissair - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 4
content. July 2005 53-10000048-01 53-10000048-02 Add Silkworm 4900 and 7500 and Fabric OS v5.1.0 support information, fiber channel router and password management policy support information. November 2005 Minor updates. April 2006 53-1000244-01 Revised for Secure Fabric OS v5.2.0 Sept 2006 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 5
xi Key Terms xii Additional Information xii Brocade Resources xii Other Industry Resources xiv Getting Technical Help xv Document Feedback xvi Chapter 1 Introducing Secure Fabric OS Management Channel Security 1-2 Switch-to-Switch Authentication 1-3 Using PKI 1-3 Using DH-CHAP 1-4 Fabric - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 6
2-23 Managing Shared Secrets 2-24 Preparing SilkWorm 24000 for Secure Fabric OS 2-26 Installing a Supported CLI Client on a Workstation 2-28 Enabling Secure Fabric OS and Creating Policies Prerequisites to Enabling Secure Mode 3-1 Default Fabric and Switch Accessibility 3-2 Enabling Secure Mode - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 7
OS Statistics 4-7 Managing Passwords 4-8 Modifying Passwords in Secure Mode 4-10 Using Temporary Passwords 4-11 Resetting the Version Number and Time Stamp 4-12 Adding Switches and Merging Fabrics with Secure Mode Enabled 4-13 Preventing a LUN Connection 4-17 Troubleshooting 4-17 Appendix - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 8
viii Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 9
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.2.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0. "About - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 10
of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for v3.2.x, v4.4.x, v5 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 11
names in the narrative portions of this guide are presented in mixed lettercase: for lettercase is often all lowercase. Otherwise, this manual specifically notes those cases in which a command caution alerts you to potential damage to hardware, firmware, software, or data. Warning A warning alerts - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 12
documentation is provided on the Brocade Documentation CD-ROM and on the Brocade Web site, through Brocade Connect. Note Go to http://www.brocade.com and click Brocade Connect to register at no cost for a user ID and password. Fabric OS • Fabric OS Administrator's Guide • Fabric OS Command Reference - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 13
48000 • SilkWorm 48000 Hardware Reference Manual • SilkWorm 48000 QuickStart Guide • FR4-18i Hardware Reference Manual • FC4-16IP Hardware Reference Manual SilkWorm 24000 • SilkWorm 24000 Hardware Reference Manual • SilkWorm 24000 QuickStart Guide SilkWorm 24000/48000 • Port Blade and Filler Panel - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 14
Brocade Fabric Switches through: http://www.amazon.com For additional Brocade documentation, visit the Brocade SAN Info Center and click the Resource Library location: http://www.brocade.com Release notes are available on the Brocade Connect Web site and are also bundled with the Fabric OS firmware - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 15
Information • Technical Support contract number, if applicable • Switch model • Switch operating system version • Error numbers and messages received • supportSave command output • Detailed description of the problem and specific questions • Description of any troubleshooting steps already performed - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 16
switch WWN. • All other SilkWorm switches: Provide the switch WWN. Use the wwn command to display the switch WWN. Document Feedback Because quality is our first concern at Brocade to hear from you. Forward your feedback to: [email protected] Provide the title and version number and as much - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 17
) shared secrets to provide switch-to-switch authentication. Table 1-1 lists which switches and fabrics support Secure Fabric OS. Table 1-1 Secure Fabric OS-Supported Switches and Fabrics Fabric OS Versions Supported SilkWorm Platforms v2.6.2 SilkWorm 2000-series switches v3.2.0 SilkWorm 3200 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 18
, messages (such as notifications of password changes) that are sent to the v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH, enabling fully encrypted telnet sessions. switch firmware. For more information about SSH, see the Fabric OS Administrator's Guide. 1-2 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 19
telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS Fabric OS Command Reference Manual. Switch-to-Switch Authentication Switch-to-switch authentication supports the following: • " manual are specific to Secure Fabric OS. See the Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 20
either be used. If either is permitted, the default order (FCAP, DHCHAP) is used. The Manual for details of the authUtil and secAuthSecret commands and see "Configuring Switch-to-Switch , password policies, and an SSL certificate, all of which are not supported by older releases. FCS switches are - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 21
Guide. For more information about merging fabrics, see "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13. The remaining switches several types of policies to customize various aspects of the fabric. By default, only the FCS policy exists when secure mode is first enabled. - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 22
for zoning. • Device Connection Control (DCC) policies-Use to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports. • Switch Connection Control (SCC) policy-Use to restrict which switches can join the fabric. Note An SCC policy is required if FICON is enabled - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 23
require access to the Web site of the switch support supplier. If the supplier is Brocade, navigate to http://partner.brocade.com (if a partner login is not already assigned, follow the instructions to receive a username and password). This chapter includes the following sections: • "Prerequisites - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 24
Fabric OS Administrator's Guide. Before enabling secure mode, install a supported CLI client on all network workstations that will be used to access the switch command line management interface. See "Installing a Supported CLI Client on a Workstation" on page 2-28 for detailed instructions. Note If - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 25
: 4.5.3 To upgrade the Fabric OS: The firmware upgrade process depends on the type of switch and management interface. See the Fabric OS Administrator's Guide for download instructions specific to the type of switch and management interface. Switches that already have a Secure Fabric OS license - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 26
and certificate display Empty, create the objects on the switch as describe in "Creating PKI Objects" on page 2-5, then follow the instructions in "Obtaining the Digital Certificate File" on page 2-7 and "Distributing Digital Certificates to the Switches" on page 2-13. • If any of the other objects - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 27
command on both logical switches. The pkiCreate command does not work if secure mode is already enabled. switch:admin> pkicreate Installing Private Key and Csr... Switch key pair and CSR generated... Installing Root Certificate... Secure Fabric OS Administrator's Guide 2-5 Publication Number: 53 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 28
Repeat for any other switches, as required. Removing switch according to the instructions provided in "Distributing Digital Certificates to the Switches switch. If you want secure mode enabled, you will need to get the switch is displayed: switch:admin> pkiremove This Switch is in secure mode - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 29
to collect certificate signing requests (CSRs) and install digital certificates on switches. The utility must be installed on a computer workstation. To install the PKICert utility on a Solaris workstation, follow the instructions provided in the PKICert utility ReadMe file. To install the PKICert - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 30
guide are PC-specific. The PKICert utility can be used only in nonsecure mode to generate or install certificates. While performing the certificate request process using PKICert, the switch name should not contain spaces. If the switch name contains spaces, the CSR is rejected by the Brocade default. - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 31
pki_v1.0.6 Choose a method for providing fabric addresses 1) Manually enter fabric address 2) Read addresses from a file ( 32.142.167 2 --> Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username: admin Password: Logged into fabric 1. principal switch - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 32
Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username:admin Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Press Enter to continue > The utility prompts - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 33
Got a CSR for Switch: Name="sw_129", IP="10.32.142.129" 2. Got a CSR for Switch: Name="sw_128", IP="10.32.142.128" 3. Got a CSR for Switch: Name="sw_139", IP="10.32.142.139" 4. Got a CSR for Switch: Name="sw_143", IP="10.32.142.143" 5. Got a CSR for Switch: Name="sw_138", IP="10.32.142.138" 6. Got - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 34
1) 10:00:00:60:69:11:f8:f9 a) All Fabrics r) Return to Functions menu # Switches ---------- 15 Principal ----------- sec237 enter your choice> 1 Once you finish, press Enter to return to Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 35
to Obtain CSR". To load digital certificates onto one or more switches manually 1. On a PC, double-click pkicert.exe. The PKICert utility and press Enter; alternatively, press Enter to accept the default. The log file is automatically created in the same Guide Publication Number: 53-1000244-01 2-13 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 36
addresses 1) Manually enter fabric address needed to get to all switches. Enter a list of 32.142.167 2 --> Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 c. The utility prompts for the username and password for this switch. Type the username and password - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 37
and password for this switch. Type the username and password; press Enter to continue. Username: admin Password: Logged into fabric 1. principal switch WWN # Switches ---------- 7. . . . Principal ----------host1_sw0 enter your choice> 1 Secure Fabric OS Administrator's Guide Publication - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 38
sectelnet application can be used as soon as a digital certificate is installed on the switch. 8. Press Enter. The Functions menu is displayed. 9. Type q to quit the installation utility Enter choice> q QUIT? (y/n) y 2-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 39
the fabric addresses; for example, type 1 and press Enter to manually enter the fabric address. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a The utility prompts for the username and password for this switch. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-17 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 40
to fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Username: root Password: Logged into fabric 1. principal switch WWN = 10:00:00 Functions menu # Switches ---------- 2 Principal ----------- sec_edge_2 enter your choice> 1 Secure Fabric OS Administrator's Guide Publication Number: 53 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 41
want to quit. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) utility Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-19 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 42
that supports Fabric Security (e.g. >= v2.6, v3.2, v4.3) 1) Use PKI-Cert to get CSR's (Certificate Signing Requests) which will be written to a data file. The XML format file will contain CSR's for each switch (identified by its WWN). 2) Next, Upload the CSR file to the Brocade Security Upgrade - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 43
_A option or for use as default for all switches given. Password: -p Password must accompany "-u UserLogin" if provided. It must be more than 5 characters. ----- END Of HELP with Batch Usage ----- Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 44
is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used when both switches support it. Authentication automatically defaults to SLAP when a switch does not support FCAP. Alternatively, you can configure Secure Fabric OS to use DH-CHAP authentication. Use the authUtil - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 45
either while secure mode is enabled or not. Run the command on the switch you want to view or change. This section illustrates using the authUtil command for example, you enable the switch), switch authentication fails. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-23 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 46
secAuthSecret "--show". The output displays the WWN, domain ID, and name (if known) of the switches with defined shared secrets: WWN DId Name 10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c 1 switchA 2-24 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 47
or switch name (Leave blank when done): 10:20:30: switch name (Leave blank when done): Are you done? (yes, y, no, n): [no] y Saving data to key store... Done. 3. Enable and disable the ports on a peer switch using the portEnable and portDisable commands. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 48
instructions, see "Verifying Compatible Fabric OS Version" on page 2-2. 4. Log in to one logical switch and change the account passwords from the default values, then log in to the other logical switch and change the passwords from the default values. 2-26 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 49
them to a common external network time protocol (NTP) server. Note If the fabric contains any switches running Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0 the server must support a full NTP client. For switches running Fabric OS v3.2.0, the server can be SNTP or NTP. a. Open a telnet or SSH - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 50
that is supported only for switches running Fabric OS v4.1.x or later. You can use SSH clients that support version 2 of the protocol (for example, OpenSSH or FSecure). See the Fabric OS Administrator's Guide for client installation instructions. sectelnet is provided on the Brocade Partner Web - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 51
Troubleshooting" on page 4-17. Prerequisites to Enabling Secure Mode For more information on any of the following items, see Fabric OS Administrator's Guide. Before enabling secure mode, do the following: • Disable the FC-FC routing on all backbone fabrics. • Set the Password policies to the default - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 52
Secure Fabric OS and Advanced Zoning licenses and digital certificates). - All switches in the fabric can be accessed through a serial port. - All switches in the fabric that have front panels (SilkWorm 2000-series switches) can be accessed through the front panel. • Computer hosts and workstations - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 53
v4.2.x switch to distribute all default account passwords to all other switches in passwords for secure mode. Caution Placing the two switches of a two-domain SilkWorm 24000 in separate fabrics is not supported if secure mode is enabled on one or both switches. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 54
option to preserve passwords. If telnet use is completely prohibited, the telnet protocol should be disabled on each switch, using the problem and repeat the configDownload command. For information about troubleshooting the configuration download process, see the Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 55
might fail if a switch running Fabric OS v2.6.x is in the fabric. Fabric OS v2.6.x supports a maximum security database size of 16 Kb. If you use secModeEnable --currentpwd command until the passwords are changed from the factory defaults by answering the password prompts during the login. Do - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 56
minutes, please wait... Secure mode is enabled. switch:admin> The command requests active consent to the terms of the license, requests the identity of the FCS switches, and requests the new passwords required for secure mode. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 57
that are different from the default values and contain between 8 and 40 alphanumeric characters: • Root password for the FCS switch • Factory password for the FCS switch • Admin password for the FCS switch • User password for the fabric • Admin password for the non-FCS switches Note The root and - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 58
in the FCS policy if your primary FCS switch is running Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0 and using multiple user accounts (MUA) because Fabric OS v2.6.x does not support MUA. See the Fabric OS Administrator's Guide for more information on MUA. 3-8 Secure Fabric OS Administrator - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 59
position in the list of the FCS switch and To is the desired position in the list for this switch. For example, to move a backup FCS switch from position 2 to position 3 in :5a2 switch60. 4. Type secPolicyActivate. Secure Fabric OS Administrator's Guide 3-9 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 60
:1c 1 Ready 10.32.163.161 "fcsswitcha" Backup 10:00:00:00:00:00:22:2c 2 Ready 10.32.163.160 "fcsswitchb" Secured switches in the fabric: 2 FCS switch to be designated as the new primary FCS switch and type secFCSFailover. 3-10 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 61
policy. Note Save policy changes frequently; changes are lost if the switch is rebooted before the changes are saved. Each supported policy is identified by a specific name, and only one policy OS Command Reference. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-11 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 62
about valid input, see "Creating an Options Policy" on page 3-20. DCC_POLICY_nnn No Yes Yes Yes Yes SCC_POLICY No No Yes Yes ports using SCSI Enclosure Services (SES) or management server • Access through switch serial ports and front panels 3-12 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 63
how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they No host can write Any host can read Only B can write This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created. No - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 64
Empty Host B in policy This combination is not supported. If the WSNMP policy is not defined, the RSNMP SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate "WSNMP_POLICY", logical switches on a two-domain SilkWorm 24000 addresses of the logical switches and to the standby - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 65
certificate is installed on the switch. Note An empty TELNET_POLICY blocks all of management access is available to the switch. To restrict CLI access over the , log in to the primary FCS switch as admin. 2. Type secPolicyCreate "TELNET_POLICY Internet browsers, such as Brocade Web Tools. The policy - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 66
with IP address of 192.168.5.0 (where "0" can be any number) to establish an HTTP connection to any switch in the fabric: primaryfcs:admin> secpolicycreate "HTTP_POLICY", "192.168.5.0" HTTP_POLICY has been created. 3-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 67
list of device port WWNs that are Guide for more information. The current SES implementation does not support the SES commands Read Buffer or Write Buffer for remote switches. To direct these commands to a switch that is not the primary FCS switch, designate that switch as the primary FCS switch - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 68
through a device that has a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "SES_POLICY", "12:24:45:10:0a:67:00:40" SES_POLICY has been connected to the primary FCS switch. The policy is named MS_POLICY and contains a list of device port WWNs for which the management server - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 69
ports of the switches in the fabric are disabled. Policy with entries Only specified switches can be accessed through the serial ports. To create a Serial Port serial port access to a switch that has a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "SERIAL_POLICY", "12:24:45: - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 70
device ports, as might be true with a host bus adapter (HBA port WWNs for zoning. By default, use of node WWNs is allowed; the Options policy does not exist until it is created by the administrator. Table 3-11 displays the possible Options policy states. 3-20 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 71
Note Fabric OS v5.2.0 supports local DCC policies; however the default, all device ports are allowed to connect to all switch ports; no DCC policies exist until they are created by the administrator. Each device port can be bound to one or more switch ports; the same device ports and switch ports - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 72
in a DCC policy are allowed to connect to the fabric at any switch ports that are not specified in a DCC policy. Switch ports and device WWNs may exist in multiple DCC policies. Proxy devices are of a proxy device. 3-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 73
switch port information: deviceportWWN;switch(port): • deviceportWWN is the WWN of the device port. • switch can be the switch WWN, domain ID, or switch name. The port can be specified by port or area number. Designating ports and port 1 and port 3 of switch ports 1 through 6 and port 9 of switch - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 74
all devices currently connected to ports 1 through 4 of switch domain 4: primaryfcs:admin> secpolicycreate "DCC_POLICY_example", "44:55:66:77:22:33:44:dd;33:44:55:66:77:11:22:cc;4[1-4]" DCC_POLICY_xxx has been created Creating an SCC Policy Note Fabric OS v5.2.0 supports local SCC policies; however - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 75
OS Policies All Secure Fabric OS transactions must be performed through the primary FCS switch only, except for the secTransAbort, secFCSFailover, secStatsReset, and secStatsShow commands. You can the defined policy set. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-25 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 76
policy is closed to access by all devices/switches that are not listed in that policy. cannot be removed, because a primary FCS switch must be designated. • "Deleting a on page 3-29 From any switch in the fabric, abort a are lost if the switch reboots or the current the primary FCS switch as admin. - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 77
by device or switch IP address, switch domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command. For example, to add a member to the MS_POLICY using the device port WWN: primaryfcs:admin> secpolicyadd "MS_POLICY", "12:24:45:10:0a - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 78
policy, and to attach domain 3 ports 1 and 3 (WWNs of devices switch domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command. For example, to remove a member that has a WWN of 12:24 's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 79
in the fabric. This makes it possible to abort a transaction that has become frozen due to a failed host. If the switch itself fails, the transaction aborts by default. This command cannot be used to abort an active transaction. To abort a Secure Fabric OS transaction 1. From a sectelnet or SSH - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 80
3 3-30 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 81
OS Statistics" on page 4-5 • "Managing Passwords" on page 4-8 • "Resetting the Version Number and Time Stamp" on page 4-12 • "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13 • "Preventing a LUN Connection" on page 4-17 • "Troubleshooting" on page 4-17 Viewing Secure Fabric - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 82
Ready 192.168.100.147 "backup" Primary 10:00:00:60:69:22:32:83 3 Ready 192.168.100.135 "primaryfcs" Secured switches in the fabric: 3 Table 4-1 identifies the information that displays if secure policy set. 4-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 83
Secure Fabric OS policy: 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secpolicyshow "listtype", "policy_name". listtype is the type of Secure Fabric OS and defined policy sets. Secure Fabric OS Administrator's Guide 4-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 84
the FCS policy. switch:admin> secmodeshow Secure Mode: ENABLED. Version Stamp: 9182, Wed Mar 13 16:37:01 2001. POS Primary WWN DId swName. 1 Yes 10:00:00:60:69:00:00:5a 21 switch47. 2 No 12:00:00:60:60:03:23:5b 5 switch12. 4-4 Secure Fabric OS Administrator's Guide Publication Number - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 85
in the policy tries to access one of the defined switch (port) combinations. • An attempt is made to log in to an account with an incorrect password. The statistics for all DCC policies are added together. Note Rebooting the switch resets all the statistics. Secure Fabric OS statistics also can be - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 86
A received packet has a time stamp that differs from the time of the receiving switch by more than the maximum allowed difference. LOGIN The number of invalid login attempts. not replicated to the standby CP. 4-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 87
Secure Fabric OS statistics. list is a list of the domain IDs for which to reset the statistics. You can enter an asterisk (*) to indicate all switches in the fabric. The default value is that of the local switch. If neither operand is specified, all statistics for all Secure Fabric OS policies are - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 88
be created for specific switches, making it possible to provide temporary access to another user. • User password policies are not supported. To enable Secure mode, you must reset all password policies to the default settings. See Chapter 3 of the Fabric OS Administrator's Guide. The user account - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 89
only. However, can temporarily enable root and factory accounts on nonFCS switches by creating a temporary password. Password is common to all FCS switches; can modify using passwd command on the primary FCS switch. Secure Fabric OS Administrator's Guide 4-9 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 90
. Secure mode must be enabled to use this command. To modify the admin password for non-FCS switches 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secNonFCSPasswd command. 4-10 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 91
OS database. Any existing admin-level telnet connections to these non-FCS switches are terminated. Using Temporary Passwords Create temporary passwords for default accounts to grant temporary access to a specific switch and login account without compromising the confidentiality of the permanent - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 92
login account to which the temporary password applies. For example, to remove a temporary password for the admin account from a switch that has a domain ID of 2: switch:admin> sectemppasswdreset 2, "admin" Committing configuration.....done Password successfully reset on domain 2 for admin You can - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 93
The Security policy set, zoning configuration, password information, MUA information, and SNMP community switch has nonzero version stamp. For general information about merging fabrics and instructions for merging fabrics that are not in secure mode, refer to the Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 94
disabled. Segments unless FCS policies are identical. If identical, the switch is the primary FCS switch unless the other FCS switch is higher in the FCS policy. Segments unless FCS policies are in the merge process. 4-14 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 95
(such as on a 2000-series switch running v2.6.x). 2. Ensure that all switches to be merged are running Fabric OS v2.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, or. a. From a serial or SSH session, log in to one of the switches in the fabric as admin. The default password is password. b. Type the version - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 96
commands on both ISL ports. 14. Physically connect the fabrics. The fabrics automatically merge and the Secure Fabric OS configuration associated with the primary FCS switch that has the nonzero version stamp is kept. 4-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 97
host, that port becomes disabled. Alternatively, if your primary FCS switch is running switch. If an edge fabric is connected to a fibre channel router, secModeEnable --quickmode is not supported. Troubleshooting switch that you want to become the primary FCS switch and specify the FCS switches - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 98
in question is disabled, enter the portEnable command. If the switch port still cannot be accessed, enter the portEnable command for the port on the other switch. One or more CLI sessions is automatically logged out. Password might have been modified for login account in use, the secModeEnable - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 99
in question is disabled, enter the portEnable command. If the switch port still cannot be accessed, enter the portEnable command for the port on the other switch. One or more CLI sessions is automatically logged out. Password might have been modified for login account in use, the secModeEnable - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 100
management policy settings. Only the password management policy default values are supported by secure mode. On each switch restore the password policy settings to the default values by running passwdcfg -setdefault. 4-20 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 101
hardware connections and the port status for all ISLs switches are interrupted or between the segmented switches and the fabric. a port failure occurred. Configurations of the segmented switches diverged from rest of the fabric. Disable the segmented switches, reset the configuration parameters - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 102
not consistent. A password recovery operation might have been performed on one or more switches. To make the passwords consistent, log in to the switch that had the password recovered and enter session and log back in. 4-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 103
OS capability includes the addition of new switches to the fabric that do not support Secure Fabric OS. Disabling secure mode includes the SOLUTIONware and other documentation provided on the Brocade Partner Web site. The following tasks are recommended Guide A-1 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 104
FCS switch. When secure mode is disabled, all temporary passwords are reset and passwords remain the same as in secure mode. • On the switches that were non-FCS switches, the root, factory, and admin passwords become the same as the non-FCS admin password. A-2 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 105
To deactivate the software license 1. Open a CLI connection (serial or telnet) to the switch. 2. Type the licenseShow command to display the Secure Fabric OS license key. Copy the the rm command to remove the folder. Secure Fabric OS Administrator's Guide A-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 106
A A-4 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 107
mode • Fail over the primary FCS switch • Create and modify Secure Fabric OS policies • View all Secure Fabric OS-related information • Modify passwords • Create and remove temporary passwords • View and reset Secure Fabric OS statistics • View and reset version stamp information Most Secure Fabric - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 108
3-2. This command cannot be entered if secure mode is already enabled unless all the FCS switches have failed. Nonsecure mode Available in secure mode if no FCS switches are left Enter from intended primary FCS switch B-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 109
password. See "Modifying the Non-FCS Switch Admin Password" on page 4-10. Secure mode Primary FCS switch Primary FCS switch secPolicyAdd admin / Primary FCS switch secPolicyCreate admin Switch Within the FCS Policy" on page 3-9. Secure mode Primary FCS switch switch FCS switch secPolicyShow - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 110
" on page 3-29. secVersionReset admin / fabricAdmin Resets version stamp. See "Resetting the Version Number and Time Stamp" on page 4-12. Secure mode Primary FCS switch; if not available, then nonFCS switch. B-4 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 111
B Secure Fabric OS Administrator's Guide B-5 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 112
OS Command Reference. Table B-2 Zoning Commands Command Primary FCS Backup FCS Non-FCS Switch Switch Switch aliAdd aliCreate Yes No No Yes No No aliDelete Yes No No aliRemove Yes No Yes No No B-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 113
recommended. The zoning and Secure Fabric OS configurations are not uploaded if entered on a non-FCS switch. date Yes Yes (read only) Yes (read only) date (except ACL does not display) Yes Secure Fabric OS Administrator's Guide B-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 114
Table B-3 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch msplClearDB Yes No No msplMgmtActivate Yes No No msplMgmtDeactivate cannot modify WWNs in secure mode) B-8 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 115
A-2 secModeEnable i-iv, 3-2, 3-5, 3-11, 4-16, 4-17, 4- 18, 4-19, 4-20, 4-21, A-2 secModeShow 4-4, 4-17, password for a switch 4-11 creating an Options policy 3-20 creating an SCC policy 3-24 creating an SNMP policy 3-13 creating PKI certificate reports 2-17 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 116
role 3-10 FC-FC Routing 3-5, 3-24, 4-20 FCS policy changing the switch position 3-9 modifying 3-8 FCS switch, primary failover 3-10 FCS switches 1-4 fibre channel router 3-5, 3-24, 4-20 FMPS 1-5 Front Panel policy 3-20 H HTTP policy 3-15 I installing a supported CLI client on a computer orkstation - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 117
3-12 Management Server 3-18 Options 3-20 removing members 3-28 RSNMP 3-13 saving changes 3-26 SCC 3-24 Secure Fabric OS removal preparation 5-1 Serial Port 3-19 SES 3-17 SNMP 3-13 Telnet 3-14 viewing the database 4-2 WSNMP 3-13 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/32 | Brocade Secure Fabric OS Administrator's Guide (53-100024 - Page 118
support, Fibre Channel router 3-5, 3-24 switch-to-switch authentication CHAP 1-3 DH-CHAP 1-3 T telnet 1-3 Telnet policy 3-14 telnet, when available 2-28 temporary password creating 4-11 removing 4-12 using 4-11 troubleshooting 4-17 Fibre Channel router 4-20 's Guide Publication Number: 53-1000244-01
Publication Number: 53-1000244-01
Publication Date:
09/29/2006
Secure Fabric OS
Administrator’s Guide
Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0