Home » HP Manuals » Storage Devices » HP StorageWorks MSA 2/8 » Manual Viewer

HP StorageWorks MSA 2/8 HP StorageWorks Fabric OS Procedures V3.1.x/4.1.x User - Page 93

New Features, Ensuring a Secure Operating System, Secure Shell (SSH)

View all HP StorageWorks MSA 2/8 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 93 highlights

Basic Security in FOS New Features Ensuring a Secure Operating System Fabric OS v4.1 uses Linux as the operating system in the switch. Therefore, securing the switch includes securing the underlying operating system as well. Fabric OS uses the Berkeley r-commands facility to transfer data between control processors in the Core Switch 2/64 platform. The primary security concern is the use of the .rhosts file. All hosts listed in the.rhosts file are trusted, meaning they can log in to the switch without any authentication such as a password. The .rhosts file on the switch contains the IP address 10.0.0.5 and 10.0.0.6, which are the IP address of each CP in a Core Switch 2/64 chassis. To prevent the use of these facilities except from the internal network, an iptables firewall has been implemented. This firewall isolates the external network from internal network and does not allow execution of r-commands on the switch from external hosts. However, if you logged in to a switch of CP as root, you can issue r-commands to the other CP. In addition, various proprietary protocols are also used over the internal CP-to-CP Ethernet. The internal Ethernet interface is considered a "trusted" interface over which arbitrary communications may occur. To address these security concerns, the internal Ethernet interfaces were disconnected from the public Ethernet interfaces. A packet filter is used to isolate the internal Ethernet interface. The packet filter: ■ Prevents routing of packets to and from internal network. ■ Protects against spoofing of internal network addresses. ■ The packet filter blocks all incoming packets from 10.0.0.0 to 10.0.0.255. ■ Closes network services intended only for the internal network without changing the source code. Secure Shell (SSH) An SSH (Secure Shell) is used to support encrypted telnet sessions to the switch (DES encryption is not supported). The default out-of-band Telnet mechanism for managing switches was deemed insecure because the passwords are sent over the wire in clear text. It is relatively easy for any network-connected system to sniff and reap these passwords for use in subsequent intrusions. In a complex enterprise network that aggregates device management into a backbone, it is difficult to Fabric OS Procedures Version 3.1.x/4.1.x User Guide 93

Section	Page
Contents	3
Initial Configuration	13
Connecting and Configuring the Switch	14
Physically Connecting to the Switch	14
Power on the Switch	14
Configuring the IP Addresses	14
Configuring the IP Address for the SAN Switch 2/16	14
Configuring the Control Processor IP Addresses for the SAN Switch 2/32	15
Configuring IP Addresses for the Core Switch 2/64	16
Table 1: Areas to be Configured for the Core Switch 2/64	16
Configuring the Control Processors:	16
Configuring a Logical Switch IP Address for the Core Switch 2/64	18
Initial Setup Example	19
Switch Login	21
Logging Into the Switch	21
Changing the Admin Password in v3.1 Firmware	22
Changing the Admin Password in v4.1 Firmware	23
Customize the Switch Name	24
Customizing a Switch Name	24
Manage Licensed Features	25
Obtaining Optional Software License Keys from HP	25
Activating a License	26
Verifying License Activation	26
Configure Fabric Parameters	28
Understanding the Core PID Requirements	28
Mixed Fabric Requirements	28
(Optional) Enabling Core PID Addressing	29
Considering Additional Fabric Configurations	29
Configure Software Features	30
Verify Switch Function	31
Connect ISLs to Switch	33
Verifying the Fabric Connectivity	33
Connect Devices to the Switch	35
Verifying Device Connectivity	35
Backing up Switch Configuration Information	37
Making a Hard Copy of Switch Information	37
Saving the Switch Configuration File to a Host	37
Table 2: Description of configupload Options	38
Basic Switch Management	39
Switch Enable/Disable Procedures	40
Disabling a Switch	40
Enabling a Switch	40
Disabling a Port	41
Enabling a Port	43
Domain IDs	47
Display a Current List of Domain IDs	47
Setting a Domain ID	48
Firmware Versions	49
Table 3: Switch Series and Applicable Firmware	49
Displaying the Firmware Version and Information	49
Switch Date and Time	51
Setting the Switch Date and Time	51
Synchronize Local Time with an External Source	52
Fabric Configuration Settings	53
Displaying the Fabric Configuration Settings	53
Backing Up the System Configuration Settings	54
Restoring the System Configuration Settings	55
Switch Names	57
Changing a Switch Name	57
Switch Status Policies	58
Viewing the Policy Threshold Values	58
Configuring the Policy Threshold Values	59
Tracking Switch Changes	63
Enabling the Track Changes Feature	63
Displaying Whether Track Changes are Enabled	64
Routing	65
Forcing In-order Delivery of Frames	65
Restoring In-order Delivery of Frames	66
Using Dynamic Load-Sharing	66
Viewing Routing Path Information	67
Help Commands	71
Displaying Help Information for a Command	71
Additional Help Topics	72
Hexadecimal Port Diagrams	73
Reading Hexadecimal Port Diagrams	73
Table 4: Hexidecimal to binary conversions	73
Firmware Download	75
About Firmware Downloads	76
Understanding the Dual-CP Firmware Upgrade Process	76
Non-Disruptive Firmware Activation	77
The Firmware Upgrade Process	78
Upgrading the Firmware on the SAN Switch 2/32	78
Upgrading the Firmware on the Core Switch 2/64	80
Customizing the Firmware Download Process	83
Downloading Firmware to a Single CP on a Core Switch 2/64	84
Upgrading the Firmware Using Web Tools	87
Upgrading the Firmware Using the CLI	88
Frequently Asked Questions	89
Password Migration When Upgrading and Downgrading Firmware	89
Basic Security in FOS	91
Overview	92
New Features	93
Ensuring a Secure Operating System	93
Secure Shell (SSH)	93
Disabling the Telnet Interface	95
Listeners	95
Removal of Unused Listeners	95
Table 5: Removed Listeners for the Core Switch 2/64 and SAN Switch 2/32	95
Passwords	97
About Passwords	97
Table 6: SAN Switch 2/32 Password Accounts	97
Table 7: Core Switch 2/64 Password Accounts	98
Default Fabric and Switch Accessibility	98
Hosts:	98
Devices:	98
Switch Access:	98
Zoning:	99
Managing Passwords	99
Modifying a Password	99
Setting Recovery Passwords	100
About Boot Prom Passwords	100
Setting Both the Boot PROM and the Recovery Passwords (SAN Switch 2/32)	100
Setting Both the Boot PROM and Recovery Passwords (Core Switch 2/64)	101
Setting the Boot PROM Password Only (SAN Switch 2/32)	102
Setting the Boot PROM Password Only (Core Switch 2/64)	104
About Forgotten Passwords	106
Recovering a User, Admin, or Factory Password	106
Recovering a Forgotten Root or Boot PROM Password	106
Frequently Asked Questions	106
Working With the Core Switch 2/64	109
Ports on the Core Switch 2/64	110
Figure 1: Graphic Illustration of Core Switch 2/64	111
About the Slot/Port Method	111
About the Port Area Number Method	112
Determining the Area Number (ID) of a Port	112
Basic Blade Management	115
Disabling a Blade	115
Enabling a Blade	116
Powering On a Blade	116
Powering Off a Blade	116
Core Switch 2/64 Chassis	118
Displaying the Status of All Slots in the Chassis	118
Displaying Information on Switch FRUs	119
Blade Beacon Mode	123
Setting the Blade Beacon Mode	123
The SAN Management Application	125
The Management Server	126
Benefits	126
Configuring Access to the Management Server	128
Displaying the Access Control List	128
Adding a WWN to the Access Control List	128
Deleting a WWN from the Access Control List	130
Displaying the Management Server Database	133
Clearing the Management Server Database	134
Activating the Platform Management Service	135
Deactivating the Platform Management Service	136
Controlling the Topology Discovery	137
Display the Status of MS Topology Discovery Service	137
Enable the MS Topology Discovery Feature	137
Disable the MS Topology Discovery Feature	138
Updating Switches to the Core PID Addressing	139
Overview	140
Figure 2: Switch Update Requirements	141
Determining If You Need to Enable the Core PID	142
Example Scenarios	142
Table 8: Sample Fabric Scenarios	142
About Core PID Addressing	143
About Fibre Channel Addressing	144
Table 9: 16-Port Count Addressing	144
Table 10: Larger Port Count Addressing	144
Recommendations	145
New Fabrics	145
Existing Fabrics	145
About PID Mapping	146
Dynamic PID	146
Static PID	146
Evaluate the Fabric	148
Gathering Information	148
Collect Device, Software, Hardware, and Config Data	148
Make List of Manually Configurable PID Drivers	149
Analyzing Data	149
Performing Empirical Testing	150
Planning the Update Procedure	151
Outline for Online Update Procedure	151
Outline for Offline Update Procedure	152
Hybrid Update	153
Procedures for Updating the Core PID Format	154
Basic Update Procedures	154
Detailed Update Procedures for HP/UX and AIX	155
HP/UX	155
AIX Procedure	158
Frequently Asked Questions	160
Diagnostics and Status	161
Diagnostics Overview	162
Manual Operation	162
Power on Self Test (POST)	162
Diagnostic Command Set	162
Interactive Diagnostic Commands	164
Persistent Error Log	165
Displaying the Error Log Without Page Breaks	166
Displaying the Error Log With Page Breaks	167
Clearing the Switch Error Log	167
Setting the Error Save Level of a Switch	168
Displaying the Current Error Save Level Setting of a Switch	168
Resizing the Persistent Error Log	169
Showing the Current Persistent (Non-Volatile) Error Log Configuration of a Switch	170
Syslog Daemon	171
syslogd Overview	171
syslog Error Message Format	171
Message Classification	172
Syslogd CLI Commands	173
Configuring syslogd	173
Configuring syslogd on the Remote Host	173
Enabling syslogd on the Core Switch 2/64 or SAN Switch 2/32	174
Disabling syslogd on the Core Switch 2/64 or SAN Switch 2/32	175
Switch Diagnostics	176
Displaying the Switch Status	176
Displaying Information About a Switch	176
Displaying the Uptime Of the Switch	180
Port Diagnostics	181
Displaying Software Statistics for a Port	181
Displaying Hardware Statistics for a Port	183
Displaying a Summary of Port Errors	185
Table 11: Error Summary Description	185
Hardware Diagnostics	187
Monitoring the Fan Status	187
Monitoring the Power Supply Status	188
Monitoring the Temperature Status	189
Running Diagnostic Tests on the Switch Hardware	189
Linux Root Capabilities	191
Troubleshooting	193
About Troubleshooting	194
Fibre Channel Process	195
Figure 3: Fibre Channel Process Flow Chart	195
Most Common Problem Areas	196
Table 12: Most Common Problem Areas	196
Table 13: Troubleshooting Tools	196
Gathering Information for Technical Support	198
Specific Scenarios	199
Host Can Not See Target (Storage or Tape Devices)	199
Check the Logical Connection	199
Check Whether the Device is Logically Connected to the Switch	199
Check the Simple Name Server (SNS)	200
Check for the Device in the SNS	200
Check for Zoning Discrepancies	202
Fabric Segmentation	203
Possible Causes	203
About Fabric Parameters	203
Domain ID Conflicts	204
Restore a Segmented Fabric	204
Reconcile Fabric Parameters Individually	204
Restore Fabric Parameters Through ConfigUpload	205
Reconcile a Domain ID Conflict	205
Zoning Setup Issues	206
Zoning Related Commands	206
Table 14: Zoning Related Commands	206
Table 15: Zone Specific Commands	206
Fabric Merge Conflicts Related to Zoning	207
Prevention	207
Table 16: Types of Zone Discrepancies	207
Basic Zone Merge Correction Procedure	207
Detailed Zone Merge Correction Procedure	208
Verify Fabric Merge Problem	208
Edit Zone Config Members	208
Reorder the Zone Member List	209
MQ-WRITE Error	209
I2C bus Errors	210
Possible Causes	210
Troubleshooting the Hardware	210
Check Fan Components	210
Check the Switch Temperature	210
Check the Power Supply	210
Check the Temperature, Fan, and Power Supply	211
Device Login Issues	212
Watchdog (Best Practices)	216
Actions	216
Kernel Software Watchdog Related Errors	217
kSWD-APP_NOT_REFRESH_ERR	217
kSWD-kSWD_GENERIC_ERR_CRITICAL	217
Identifying Media-Related Issues	218
Component Tests Overview	218
Table 17: Component Test Descriptions	218
Check Switch Components	219
Cursory Debugging of Media Components	219
Test Cascaded Switch ISL Links	220
Test a Port’s External Transmit and Receive Path	221
Test a Switches Internal Components	222
Test Components To and From the HBA	222
Check All Switch Components Between Main Board, SFP, and Fiber Cable	223
Check Port’s External Transmit and Receive Path	225
Check all Switch Components of the Port Transmit and Receive Path	227
Additional Component Tests	228
Table 18: Switch Component Tests	228
Link Failure	229
Possible Causes for Link Failure	229
Switch State	229
Table 19: SwitchState and Actions to Take	229
Port’s Physical State	230
Table 20: Port States and Suggested Actions	230
Speed Negotiation Failure	230
Link Initialization Failure (Loop)	231
Point-to-Point Initialization Failure	232
Port Has Come Up in a Wrong Mode	232
Table 21: SwitchShow Output and Suggested Action	232
Marginal Links	234
Confirming the Problem	234
Isolating the Areas	235
Ruling Out Cabling Issues	236
Nx_Port (Host or Storage) Issues	236
Glossary	237
Index	269
A	269
B	269
C	269
D	269
E	269
F	269
L	269
P	269
R	269
S	270
U	270

Match case Limit results 1 per page

Basic Security in FOS

Fabric OS Procedures Version 3.1.x/4.1.x User Guide

New Features

Ensuring a Secure Operating System

Fabric OS v4.1 uses Linux as the operating system in the switch. Therefore,

securing the switch includes securing the underlying operating system as well.

Fabric OS uses the Berkeley r-commands facility to transfer data between control

processors in the Core Switch 2/64 platform. The primary security concern is the

use of the .rhosts file. All hosts listed in the.rhosts file are trusted, meaning they

can log in to the switch without any authentication such as a password. The .rhosts

file on the switch contains the IP address 10.0.0.5 and 10.0.0.6, which are the IP

address of each CP in a Core Switch 2/64 chassis. To prevent the use of these

facilities except from the internal network, an iptables firewall has been

implemented. This firewall isolates the external network from internal network

and does not allow execution of r-commands on the switch from external hosts.

However, if you logged in to a switch of CP as root, you can issue r-commands to

the other CP.

In addition, various proprietary protocols are also used over the internal CP-to-CP

Ethernet. The internal Ethernet interface is considered a "trusted" interface over

which arbitrary communications may occur. To address these security concerns,

the internal Ethernet interfaces were disconnected from the public Ethernet

interfaces.

A packet filter is used to isolate the internal Ethernet interface. The packet filter:

■

Prevents routing of packets to and from internal network.

■

Protects against spoofing of internal network addresses.

■

The packet filter blocks all incoming packets from 10.0.0.0 to 10.0.0.255.

■

Closes network services intended only for the internal network without

changing the source code.

Secure Shell (SSH)

An SSH (Secure Shell) is used to support encrypted telnet sessions to the switch

(DES encryption is not supported). The default out-of-band Telnet mechanism for

managing switches was deemed insecure because the passwords are sent over the

wire in clear text. It is relatively easy for any network-connected system to sniff

and reap these passwords for use in subsequent intrusions. In a complex enterprise

network that aggregates device management into a backbone, it is difficult to