HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 117

Key database on switch Local secret A Peer secret B Key database on switch Local secret B Peer secret A Switch A Figure 3 DH-CHAP authentication Switch B If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection. The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication. The AUTH policy is distributed using the distribute command. The automatic distribution of the AUTH policy is not supported. The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The switch may be configured to negotiate FCAP, DH-CHAP, or both. The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group information, but does not use it. The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0 and pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0 switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication negotiation and therefore continue with the rest of port initialization. E_Port authentication The authentication (AUTH) policy allows you to configure the DH-CHAP authentication on the switch. By default the policy is set to PASSIVE and you can change the policy using the authutil command All changes to the AUTH policy are effective. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed to OFF. The authentication configurations will be effective only on subsequent E_ and F_Port initialization. A secret key pair has to be installed prior to changing the policy. The policy can be configured as follows: $authutil --policy -sw WARNING! If data input has not been completed and a failover occurs, the command is terminated without completion and the entire user input is lost. If data input has completed, the enter key pressed, and a failover occurs, data may or may not be replicated to the other CP depending on the timing of the failover. Log in to the other CP after the failover is complete and verify the data was saved. If data was not saved, run the command again. ON: Setting the AUTH policy to ON means that strict authentication is enforced on all E_Ports. If the connecting switch does not support authentication or the policy is switched to the OFF state, the ISL is disabled. During switch initialization, authentication begins automatically on all E_Ports. In order to enforce this policy fabric wide, the fabric needs to have Fabric OS 5.3.0 or later switches only. The switch disables the Fabric OS 6.1.x administrator guide 117