Home » HP Manuals » Storage Devices » HP StorageWorks 8/80 » Manual Viewer

HP StorageWorks 8/80 Brocade Fabric OS Administrator's Guide v6.3.0 (53-100133 - Page 195

Key management, Pre-shared keys, Security certificates, Static Security Associations

View all HP StorageWorks 8/80 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 195 highlights

Management interface security 7 Key management The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet Key Exchange (IKE) protocol handles key management automatically. SAs require keying material for authentication and encryption. The managing of keying material that SAs require is called key management. The IKE protocol solves the most prominent problem in the setup of secure communication: the authentication of the peers and the exchange of the symmetric keys. It then creates the security associations and populates the SADB. The manual key/SA entry requires the keys to be generated and managed manually. For the selected authentication or encryption algorithms, the correct keys must be generated using a third party utility on your LINUX system. The key length is determined by the algorithm selected. Linux IPsec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections. The LINUX setKey command can be used for manually keyed connections, which means that all parameters needed for the setup of the connection are provided by you. Based on which protocol, algorithm, and key used for the creation of the security associations, the switch populates the security association database (SAD) accordingly. Pre-shared keys A pre-shared key has the .psk extension and is one of the available methods IKE can be configured to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add and delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or group of peers. The ipSecConfig command does not support manipulating pre-shared keys corresponding to the identity of the IKE peer or group of peers. Use the secCertUtil command to import, delete, or display the pre-shared keys in the local switch database. For more information on this procedure, refer to Chapter 6, "Configuring Standard Security Features". Security certificates A certificate is one of the available methods IKE can be configured to use for primary authentication. You can specify the local public key and private key (in X.509 PEM format) and peer public key (in X.509 format) to be used in a particular IKE policy. Use the secCertUtil import command to import public key, private key and peer-public key (in X.509 PEM format) into the switch database. For more information on this procedure, refer to Chapter 6, "Configuring Standard Security Features". ATTENTION The CA certificate name must have the IPSECCA.pem name. Static Security Associations Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the SADB. Manual SA entries may not have an associated IPsec policy in the local policy database. Manual SA entries are persistent across system reboots. Fabric OS Administrator's Guide 153 53-1001336-01

Section	Page
Contents	5
Figures	25
Tables	29
About This Document	33
In this chapter	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	36
Text formatting	36
Command syntax conventions	37
Notes, cautions, and warnings	37
Key terms	37
Notice to the reader	38
Additional information	38
Brocade resources	38
Other industry resources	38
Getting technical help	39
Document feedback	40
Performing Basic Configuration Tasks	43
In this chapter	43
Fabric OS overview	43
Fabric OS command line interface	44
Console sessions using the serial port	44
Telnet or SSH sessions	45
Getting help on a command	46
Password modification	47
Default account passwords	47
The Ethernet interface on your switch	48
Virtual Fabrics and the Ethernet interface	48
Displaying the network interface settings	48
Static Ethernet addresses	49
DHCP activation	50
IPv6 autoconfiguration	52
Date and time settings	53
Setting the date and time	53
Time zone settings	53
Network time protocol	55
Domain IDs	56
Displaying the domain IDs	56
Setting the domain ID	57
Switch names	57
Customizing the switch name	58
Chassis names	58
Customizing chassis names	58
Switch activation and deactivation	58
Disabling a switch	58
Enabling a switch	59
Switch and enterprise-class platform shutdown	59
Powering off a Brocade switch	59
Powering off a Brocade enterprise-class platform	59
Basic connections	60
Device connection	60
Switch connection	60
Performing Advanced Configuration Tasks	63
In this chapter	63
PIDs and PID binding overview	63
Core PID addressing mode	64
Fixed addressing mode	64
10-bit addressing mode	64
256-area addressing mode	65
WWN-based PID assignment	65
Ports	67
Setting port names	68
Port identification by slot and port number	68
Port identification by port area ID	69
Port identification by index	69
Swapping port area IDs	70
Port activation and deactivation	70
Setting port speeds	71
Setting the same speed for all ports on the switch	71
Blade terminology and compatibility	72
CP blades	73
Core blades	74
Port and application blade compatibility	74
Enabling and disabling blades	75
Enabling blades	75
Disabling blades	76
Blade swapping	76
Swapping blades	77
Swapping blades	79
Power conservation	79
Powering off a port blade	80
Powering on a port blade	80
Inter-chassis links	80
Supported topologies	81
Gateway links	82
Configuring a link through a gateway	83
Equipment status	83
Checking switch operation	83
Verifying High Availability features (directors and enterprise-class platforms only)	83
Verifying fabric connectivity	85
Verifying device connectivity	85
Track and control switch changes	85
Enabling the track changes feature	86
Displaying the status of the track changes feature	86
Viewing the switch status policy threshold values	86
Setting the switch status policy threshold values	87
Audit log configuration	88
Auditable event classes	89
Verifying host syslog prior to configuring the audit log	90
Configuring an audit log for specific event classes	90
High availability of daemon processes	91
Understanding Fibre Channel Services	93
In this chapter	93
Fibre Channel services overview	93
The Management Server	94
Platform services	94
Platform services in a Virtual Fabric	94
Enabling platform services	95
Disabling platform services	95
Management server database	95
Displaying the management server ACL	96
Adding a member to the ACL	96
Deleting a member from the ACL	97
Viewing the contents of the management server database	98
Clearing the management server database	99
Topology discovery	99
Displaying topology discovery status	99
Enabling topology discovery	99
Disabling topology discovery	99
Routing Traffic	101
About this chapter	101
Routing overview	101
Path versus route selection	101
FSPF	102
Fibre Channel NAT	102
Routing policies	103
Displaying the current routing policy	103
Exchange-based routing	104
Port-based routing	104
AP route policy	104
Routing in Virtual Fabrics	105
Route selection	106
Dynamic load sharing	106
Static route assignment	106
Frame order delivery	107
Forcing in-order frame delivery across topology changes	108
Restoring out-of-order frame delivery across topology changes	108
Lossless Dynamic Load Sharing on ports	108
Configuring lossless dynamic load sharing on ports	108
Lossless dynamic load sharing in Virtual Fabrics	108
Frame Redirection	109
Creating a frame redirect zone	110
Deleting a frame redirect zone	110
Viewing redirect zones	110
Managing User Accounts	111
In this chapter	111
User accounts overview	111
Role-Based Access Control (RBAC)	112
The management channel	115
Local database user accounts	116
Default accounts	116
Local account passwords	117
Local account database distribution	118
Distributing the local user database	118
Accepting distribution of user databases on the local switch	118
Rejecting distributed user databases on the local switch	119
Password policies	119
Password strength policy	119
Password history policy	120
Password expiration policy	121
Account lockout policy	121
The boot PROM password	123
Setting the boot PROM password for a switch with a recovery string	123
Setting the boot PROM password for a director with a recovery string	124
Setting the boot PROM password for a switch without a recovery string	125
Setting the boot PROM password for a director without a recovery string	126
The authentication model using RADIUS and LDAP	127
Setting the switch authentication mode	129
Fabric OS user accounts	129
Fabric OS users on the RADIUS server	130
The RADIUS server	133
LDAP configuration and Microsoft Active Directory	139
Authentication servers on the switch	142
Configuring local authentication as backup	143
Configuring Standard Security Features	145
In this chapter	145
Security protocols	145
Secure Copy	146
Setting up SCP for configUploads and downloads	147
Secure Shell protocol	147
SSH public key authentication	148
Secure Sockets Layer protocol	150
Browser and Java support	150
SSL configuration overview	150
Certificate authorities	151
The browser	153
Root certificates for the Java Plug-in	154
Simple Network Management Protocol	155
SNMP and Virtual Fabrics	156
The security level	156
The snmpConfig command	157
Telnet protocol	157
Blocking Telnet	157
Unblocking Telnet	158
Listener applications	159
Ports and applications used by switches	159
Port configuration	160
Configuring Advanced Security Features	161
In this chapter	161
ACL policies overview	161
How the ACL policies are stored	161
Policy members	162
ACL policy management	162
Displaying ACL policies	163
Saving changes without activating the policies	163
Activating policy changes	163
Deleting an ACL policy	163
Adding a member to an existing ACL policy	164
Removing a member from an ACL policy	164
Aborting unsaved policy changes	164
FCS policies	165
FCS policy restrictions	165
Ensuring fabric domains share policies	166
Creating an FCS policy	166
Modifying the order of FCS switches	167
FCS policy distribution	167
DCC policies	168
DCC policy restrictions	169
Creating a DCC policy	169
Deleting a DCC policy	170
SCC policies	171
Creating an SCC policy	171
Authentication policy for fabric elements	172
E_Port authentication	173
Device authentication policy	174
AUTH policy restrictions	175
Authentication protocols	175
Secret key pairs	177
Fabric-wide distribution of the Auth policy	178
IP Filter policy	179
Creating an IP Filter policy	179
Cloning an IP Filter policy	179
Displaying an IP Filter policy	179
Saving an IP Filter policy	180
Activating an IP Filter policy	180
Deleting an IP Filter policy	180
IP Filter policy rules	180
IP Filter policy enforcement	182
Adding a rule to an IP Filter policy	183
Deleting a rule to an IP Filter policy	183
Aborting an IP Filter transaction	183
IP Filter policy distribution	183
Policy database distribution	184
Database distribution settings	185
ACL policy distribution to other switches	186
Fabric-wide enforcement	186
Notes on joining a switch to the fabric	188
Management interface security	190
Configuration examples	191
IPsec protocols	192
Security associations	193
Authentication and encryption algorithms	193
IPsec policies	194
IKE policies	194
Creating the tunnel	196
Example of an End-to-End Transport Tunnel mode	197
Maintaining the Switch Configuration File	201
In this chapter	201
Configuration settings	201
Configuration file format	202
Configuration file backup	204
Uploading a configuration file in interactive mode	205
Configuration file restoration	205
Restrictions	206
Configuration download without disabling a switch	207
Configuration restoration in a FICON environment	209
Configurations across a fabric	210
Downloading a configuration file from one switch to another same model switch	210
Security considerations	211
Configuration Management for Virtual Fabrics	211
Uploading a config file from a switch with Virtual Fabrics enabled	211
Restoring a logical switch using configDownload	212
Restrictions	213
Brocade configuration form	213
Installing and Maintaining Firmware	215
In this chapter	215
Firmware download process overview	215
Upgrading and downgrading firmware	216
Considerations for FICON CUP environments	217
HA sync state	217
Preparing for a firmware download	218
Connected switches	219
Finding the switch firmware version	219
Obtain and decompress firmware	219
Firmware download on switches	220
Switch firmware download process overview	220
Firmware download on an enterprise-class platform	222
Enterprise-class platform firmware download process overview	222
Firmware download from a USB device	226
Enabling USB	226
Viewing the USB file system	226
Downloading from USB using the relative path	226
Downloading from USB using the absolute path	226
SAS and SA applications	227
Downloading an application	227
FIPS Support	228
Public and Private Key Management	228
The firmwareDownload Command	229
Power-on Firmware Checksum Test	230
Test and restore firmware on switches	230
Testing a different firmware version on a switch	230
Test and restore firmware on enterprise-class platforms	232
Testing different firmware versions on enterprise-class platforms	232
Validating a firmware download	235
Managing Virtual Fabrics	237
In this chapter	237
Virtual Fabrics overview	237
Logical switch overview	238
Default logical switch	238
Logical switches and fabric IDs	240
Port assignment in logical switches	240
Logical switches and connected devices	241
Logical fabric overview	242
Logical fabric and ISLs	243
Logical fabric and ISL sharing	244
Management model for logical switches	247
Account management and Virtual Fabrics	248
Supported platforms for Virtual Fabrics	248
Supported port configurations in the Brocade 5100 and 5300	248
Supported port configurations in the Brocade DCX and DCX-4S	248
Virtual Fabrics interaction with other Fabric OS features	249
Limitations and restrictions of Virtual Fabrics	250
Restrictions on moving ports	251
Enabling Virtual Fabrics	251
Disabling Virtual Fabrics	252
Configuring logical switches to use basic configuration values	253
Creating a logical switch or base switch	253
Executing a command in a different logical fabric context	255
Deleting a logical switch	256
Adding and removing ports on a logical switch	256
Displaying logical switch configuration	257
Changing the fabric ID of a logical switch	258
Changing a logical switch to a base switch	259
Configuring a logical switch to use XISLs	260
Changing the context to a different logical fabric	261
Creating a logical fabric using XISLs	261
Administering Advanced Zoning	263
In this chapter	263
Special zones	263
Zoning overview	264
Zone types	265
Zone objects	266
Zone aliases	267
Zone configurations	268
Zoning enforcement	268
Considerations for zoning architecture	269
Best practices for zoning	270
Broadcast zones	270
Broadcast zones and Admin Domains	271
Broadcast zones and FC-FC routing	272
High availability considerations with broadcast zones	272
Loop devices and broadcast zones	272
Broadcast zones and default zoning	272
Zone aliases	273
Creating an alias	273
Adding members to an alias	273
Removing members from an alias	274
Deleting an alias	274
Viewing an alias in the defined configuration	275
Zone creation and maintenance	275
Creating a zone	275
Adding devices (members) to a zone	276
Removing devices (members) from a zone	276
Deleting a zone	277
Viewing a zone in the defined configuration	277
Validating a zone	277
Default zoning mode	278
Setting the default zoning mode	279
Viewing the current default zone access mode	279
Zoning database size	280
Zoning configurations	280
Creating a zoning configuration	280
Adding zones (members) to a zoning configuration	281
Removing zones (members) from a zone configuration	281
Enabling a zone configuration	282
Disabling a zone configuration	282
Deleting a zone configuration	283
Clearing changes to a configuration	283
Viewing all zone configuration information	283
Viewing selected zone configuration information	284
Viewing the configuration in the effective zone database	284
Clearing all zone configurations	285
Zone object maintenance	285
Copying a zone object	285
Deleting a zone object	286
Renaming a zone object	287
Zoning configuration management	287
New switch or fabric additions	287
Fabric segmentation and zoning	289
Security and zoning	289
Zone merging scenarios	290
Managing iSCSI Gateway Service	293
In this chapter	293
iSCSI gateway service overview	293
iSCSI session translation	294
Basic and advanced LUN mapping	295
iSCSI component identification of the IQN prefix	296
Access control with discovery domains	297
Switch-to-iSCSI initiator authentication	298
Load balancing through connection redirection	298
Supported iSCSI initiators	300
Checklist for configuring iSCSI	300
FC4-16IP blade configuration	302
FC4-16IP port numbering	302
Enabling the iSCSI gateway service	303
Enabling GbE ports	304
Configuring the GbE interface	305
iSCSI virtual target configuration	306
Automatic iSCSI VT creation	307
Manual iSCSI VT creation	309
Displaying the iSCSI virtual target LUN map	312
Displaying iSCSI VT state and status	313
Discovery domain and domain set configuration	313
Displaying iSCSI initiator IQNs	314
Creating discovery domains	314
Creating and enabling a discovery domain set	314
iSCSI initiator-to-VT authentication configuration	315
Setting the user name and shared secret	315
Binding user names to an iSCSI VT	315
Deleting user names from an iSCSI VT binding list	316
Displaying CHAP configurations	316
Committing the iSCSI-related configuration	316
Resolving conflicts between iSCSI configurations	317
LUN masking considerations	318
iSCSI FC zoning overview	318
iSCSI FC zone creation	319
Zoning configuration creation	323
Creating and enabling a zoning configuration	323
iSNS client service configuration	324
Displaying iSNS client service status	325
Enabling the iSNS client service	325
Disabling the iSNS client service	326
Clearing the iSNS client configuration	326
Administering NPIV	327
In this chapter	327
NPIV overview	327
Fixed addressing mode	327
10-Bit addressing mode	327
Enabling and disabling NPIV	328
Configuring NPIV	328
Viewing NPIV port configuration information	329
Viewing virtual PID login information	331
Interoperability for Merged SANs	333
In this chapter	333
Interoperability overview	333
Connectivity solutions	334
Domain ID offset modes	335
Configuring the Domain_ID offset	336
McDATA Fabric mode configuration restrictions	336
McDATA Open Fabric mode configuration restrictions	337
Interoperability support for logical switches	338
Switch configurations for interoperability	338
Enabling McDATA Open Fabric mode	339
Enabling McDATA Fabric mode	339
Enabling Brocade Native mode	340
Zone management in interoperable fabrics	341
Zoning restrictions	341
Zone name restrictions	342
Zoning modes	342
Setting the safe zone mode on a stand-alone switch	343
Setting the safe zone mode fabric-wide	343
Disabling safe zone mode	343
Effective zone configuration	343
Saving the effective zone configuration to the Defined Database	344
Frame Redirection in interoperable fabrics	344
Traffic Isolation zones in interoperable fabrics	345
Brocade SANtegrity implementation in mixed fabric SANS	345
Fabric OS Layer 2 Fabric Binding	346
E_Port authentication between Fabric OS and M-EOS switches	346
Switch authentication policy	348
Dumb switch authentication	351
Authentication of EX_Port, VE_Port, and VEX_Port connections	352
Authentication of VE_Port-to-VE_Port connections	353
Authentication of VEX_Port-to-VE_Port connections	356
Authentication of VEX_Port-to-VEX_Port connections	357
FCR SANtegrity	357
Fabric Binding behavior in a mixed fabric	358
Configuring the preferred domain ID and the insistent domain ID	358
FICON implementation in a mixed fabric	359
Fabric OS version change restrictions in an interoperable environment	359
Coordinated Hot Code Load	360
Bypassing the Coordinated HCL check on firmware download	360
Coordinated HCL on switches firmware downloads	361
Upgrade and downgrade considerations for HCL for interoperability	361
McDATA-aware features	361
McDATA-unaware features	362
M-EOS feature limitations in mixed fabrics	364
Supported hardware in an interoperable environment	365
Supported features in an interoperable environment	368
Unsupported features in an interoperable environment	370
Managing Administrative Domains	371
In this chapter	371
Administrative Domains overview	371
Admin Domain features	373
Requirements for Admin Domains	373
Admin Domain access levels	374
User-defined Administrative Domains	374
System-defined Administrative Domains	374

Match case Limit results 1 per page

Fabric OS Administrator’s Guide

153

53-1001336-01

Management interface security

Key management

The IPsec key management supports Internet Key Exchange or Manual key/SA entry. The Internet

Key Exchange (IKE) protocol handles key management automatically. SAs require keying material

for authentication and encryption. The managing of keying material that SAs require is called

key

management

The IKE protocol solves the most prominent problem in the setup of secure communication: the

authentication of the peers and the exchange of the symmetric keys. It then creates the security

associations and populates the SADB.

The manual key/SA entry requires the keys to be generated and managed manually. For the

selected authentication or encryption algorithms, the correct keys must be generated using a third

party utility on your LINUX system. The key length is determined by the algorithm selected.

Linux IPsec-tools 0.7 provides tools for manual key entry (MKE) and automatic keyed connections.

The LINUX

setKey

command can be used for manually keyed connections, which means that all

parameters needed for the setup of the connection are provided by you. Based on which protocol,

algorithm, and key used for the creation of the security associations, the switch populates the

security association database (SAD) accordingly.

Pre-shared keys

A pre-shared key has the .psk extension and is one of the available methods IKE can be configured

to use for primary authentication. You can specify the pre-shared keys used in IKE policies; add

and delete pre-shared keys (in local database) corresponding to the identity of the IKE peer or

group of peers.

The

ipSecConfig

command does not support manipulating pre-shared keys corresponding to the

identity of the IKE peer or group of peers. Use the

secCertUtil

command to import, delete, or display

the pre-shared keys in the local switch database. For more information on this procedure, refer to

Chapter 6, “Configuring Standard Security Features”

Security certificates

A certificate is one of the available methods IKE can be configured to use for primary

authentication. You can specify the local public key and private key (in X.509 PEM format) and peer

public key (in X.509 format) to be used in a particular IKE policy.

Use the

secCertUtil import

command to import public key, private key and peer-public key (in X.509

PEM format) into the switch database. For more information on this procedure, refer to

Chapter 6,

“Configuring Standard Security Features”

ATTENTION

The CA certificate name must have the

IPSECCA.pem

name.

Static Security Associations

Manual Key Entry (MKE) provides the ability to manually add, delete and flush SA entries in the

SADB. Manual SA entries may not have an associated IPsec policy in the local policy database.

Manual SA entries are persistent across system reboots.