HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 131

The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0 and later along with pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0 and later switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication negotiation and therefore continue with the rest of port initialization. Virtual Fabric considerations: If a Virtual Fabric is enabled, all AUTH module parameters such as shared secrets, and shared switch and device policies, are Logical Switch-wide. That means you must configure shared secrets and policies separately on each Logical Switch and the shared secrets and policies must be set on each switch prior to authentication. On Logical Switch creation, authentication takes default values for policies and other parameters. E_Port authentication The authentication (AUTH) policy allows you to configure DH-CHAP authentication on the switch. By default the policy is set to PASSIVE and you can change the policy using the authUtil command. All changes to the AUTH policy take effect during the next authentication request. This includes starting authentication on all E_Ports on the local switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed to OFF. The authentication configurations will be effective only on subsequent E_ and F_Port initialization. Virtual Fabric considerations: The switch authentication policy applies to all E_Ports in a Logical Switch. This includes ISLs and extended ISLs. Authentication of extended ISLs between two base switches is considered peer-chassis authentication. Authentication between two physical entities is required, so the extended ISL that connects the two chassis needs to be authenticated. The corresponding extended ISL for a logical ISL authenticates the peer-chassis, therefore the logical ISL authentication is not required. Since the logical ISLs do not carry actual traffic, they do not need to be authenticated. Authentication on re-individualization is also blocked on logical ISLs. The following error message is printed on the console when you execute the authUtil --authinit command on logical-ISLs, Failed to initiate authentication. Authentication is not supported on logical ports . For more information on Virtual Fabrics, see Chapter 6, "Managing virtual fabrics" on page 173. A secret key pair has to be installed prior to changing the policy. The policy can be configured as follows: switch:admin> authutil --policy -sw IMPORTANT: If data input has not been completed and a failover occurs, the command is terminated without completion and your entire input is lost. If a failover occurs and data input has been completed and the Enter key pressed, data may or may not be replicated to the other CP depending on the timing of the failover. Log in to the other CP after the failover is complete and verify that the data was saved. If data was not saved, run the command again. The following are the available policy modes and properties: ON Setting the AUTH policy to ON means that strict authentication is enforced on all E_Ports. If the connecting switch does not support authentication or the policy is switched to the OFF state, the ISL is disabled. During switch initialization, authentication begins automatically on all E_Ports. To enforce this policy fabric-wide, the fabric needs to have Fabric OS 5.3.0 and later switches only. The switch disables the port if it is connected to a switch which does not support authentication. Regardless of the policy, the E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. ACTIVE In this state the switch is more tolerant and can connect to a switch with any type of policy. During switch initialization, authentication begins on all E_Ports, but the port is not disabled if the connecting switch does not support authentication or the AUTH policy is turned to the OFF state. Fabric OS 6.2 administrator guide 129