HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 93

Configuring for the SSL protocol Secure sockets layer (SSL) protocol provides a secure sockets layer (SSL) protocol, which provides secure access to a fabric through Web-based management tools like Web Tools. SSL support is a standard Fabric OS feature. Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure links (which begin with https://) instead of standard links (which begin with http://). SSL uses Public Key Infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted key agent. Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending on the issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you may have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan these types of changes accordingly. Browser and Java support Fabric OS supports the following Web browsers for SSL connections: • Internet Explorer (Microsoft Windows) • Mozilla (Solaris and Red Hat Linux) In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default. You can display the encryption support (called "cipher strength") using the Internet Explorer Help:About menu option. If you are running an earlier version of Internet Explorer, you may be able to download an encryption patch from the Microsoft website at http://www.microsoft.com. You should upgrade to the Java 1.5.0_06 Plug-in on your management workstation. To find the Java version that is currently running, open the Java console and look at the first line of the window. For more details on levels of browser and Java support, see the Web Tools Administrator's Guide. Summary of SSL procedures You configure for SSL by obtaining, installing, and activating digital certificates for SSL support. Certificates are required on all switches that are to be accessed through SSL. You also need to install a certificate in the Java Plug-in on the management workstation, and you may need to add a certificate to your Web browser. Configuring for SSL involves these major steps, which are shown in detail in the next sections. 1. Choose a Certificate Authority (CA). 2. Generate the following items on each switch: a. A public/private key (secCertUtil genkey command). b. A certificate signing request (CSR) (secCertUtil gencsr command) and store the CSR on an FTP server (secCertUtil export command). 3. Obtain the certificates from the CA. You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in Table 18. Table 18 SSL certificate files Certificate file Description name.crt The switch certificate. Fabric OS 6.1.x administrator guide 93