Home » HP Manuals » Storage Devices » HP StorageWorks MSA 2/8 » Manual Viewer

HP StorageWorks MSA 2/8 HP StorageWorks Secure Fabric OS V1.0 User Guide (AA-R - Page 107

Adding, Switches and, Merging Secure, Fabrics, Verifying Installation of the Digital, Certificates

View all HP StorageWorks MSA 2/8 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 107 highlights

Managing Secure Fabric OS Table 18: Recovery Processes (Continued) Symptom A device listed in the DCC policy cannot be accessed. A policy that has been created is not listed by secpolicyshow command. One or more switches are segmented from the fabric. Note: For instructions on rejoining fabrics, see the instructions under "Adding Switches and Merging Secure Fabrics" on page 101. Likely Problem Port may be disabled. The new policy was not saved or activated. Incorrect policy name used. SCC_POLICY is excluding the segmented switches. Management Server services on the segmented switches are inconsistent with rest of fabric. The segmented switches are missing PKI objects. ISLs to the segmented switches are interrupted or a port failure occurred. FCS policies on the segmented switches are not identical to the FCS policy of the fabric. Recommended Actions Enter the switchshow command. If the port in question is disabled, enter the portenable command. Save or activate the policy changes by entering the secpolicysave or secpolicyactivate command. Verify the correct policy name was used. Policy names are case-sensitive and must be entered all uppercase. Use the secpolicyadd command on the Primary FCS switch to add the switches to the SCC_POLICY. Make the Management Server services consistent across all switches in the fabric by enabling or disabling the same services. Determine the status of the PKI objects by following the procedure under "Verifying Installation of the Digital Certificates" on page 38. If any objects are missing, replace as described under "Re-creating PKI Objects If Required" on page 39. Check the hardware connections and the port status for all ISLs between the segmented switches and the fabric. If one or more switches are segmented without any FCS switches, enter the secmodeenable command on a segmented switch and specify an FCS policy that is identical to the FCS policy of the rest of the fabric. The segmented switch or group of switches are automatically fastbooted. If one or more switches are segmented with a Primary FCS switch, modify the FCS policy as required until it is identical to the FCS policy in the rest of the fabric. Secure Fabric OS Version 1.0 User Guide 107

Section	Page
Contents	3
About this Guide	7
Overview	8
Intended Audience	8
Related Documentation	8
Conventions	9
Document Conventions	9
Table 1: Document Conventions	9
Text Symbols	9
Getting Help	11
HP Technical Support	11
HP Storage Website	11
HP Authorized Reseller	11
Introducing Secure Fabric OS	13
Security of Management Channels	14
Secure Shell	14
Sectelnet	15
Telnet	15
Switch-to-Switch Authentication Using PKI	16
Fabric Configuration Server Switches	17
Fabric Management Policy Set	19
Available Secure Fabric OS Policies	19
Adding Secure Fabric OS to the Fabric	21
Adding Secure Fabric OS to the Fabric	22
Identifying the Current Version of Fabric OS	23
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x	24
Customizing the Account Passwords	24
Verifying or Activating the Secure Fabric OS and Zoning Licenses	25
Adding Secure Fabric OS to Switches that Require Upgrading	27
Upgrading to a Compatible Version of Fabric OS	28
Customizing the Account Passwords	29
Verifying or Activating the Secure Fabric OS and Zoning Licenses	30
Installing the PKICERT Utility	30
Using the PKICERT Utility to Obtain the CSR File	31
Obtaining the Digital Certificate File	34
Distributing Digital Certificates to the Switches	35
Verifying Installation of the Digital Certificates	38
Re-creating PKI Objects If Required	39
Adding Secure Fabric OS to a Core Switch 2/64	41
Installing a Supported CLI Client on a Computer Workstation	45
Creating Secure Fabric OS Policies	47
Default Fabric and Switch Accessibility	48
Enabling Secure Mode	49
Modifying the FCS Policy	54
Table 2: FCS Policy States	54
Changing the Position of a Switch Within the FCS Policy	55
Failing over the Primary FCS Switch	56
Creating Secure Fabric OS Policies Other Than the FCS Policy	58
Table 3: Valid Methods for Specifying Policy Members	59
Creating a MAC Policy	59
Creating an SNMP Policy	60
Table 4: Read and Write Behaviors of SNMP Policies (Continued)	60
Telnet Policy	62
Table 5: Telnet Policy States	63
HTTP Policy	64
Table 6: HTTP Policy States	64
API Policy	65
Table 7: API Policy States	65
Management Server Policy	66
Table 8: Management Server Policy States	66
Serial Port Policy	67
Table 9: Serial Port Policy States	67
Front Panel Policy	68
Table 10: Front Panel Policy States	69
Creating an Options Policy	70
Table 11: Options Policy States	70
Creating a DCC Policy	71
Table 12: DCC Policy States	72
Creating an SCC Policy	74
Table 13: SCC Policy States	74
Managing Secure Fabric OS Policies	76
Saving Changes to Secure Fabric OS Policies	77
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	78
Removing a Member from a Policy	79
Deleting a Policy	80
Aborting All Uncommitted Changes	80
Aborting a Secure Fabric OS Transaction	81
Managing Secure Fabric OS	83
Viewing Secure Fabric OS-Related Information	84
Displaying General Secure Fabric OS Information About a Fabric	84
Viewing the Secure Fabric OS Policy Database	85
Displaying Individual Secure Fabric OS Policies	86
Displaying Status of Secure Mode	88
Table 14: Secure Mode Information	88
Displaying and Resetting Secure Fabric OS Statistics	90
Table 15: Secure Fabric OS Statistics (Continued)	90
Displaying Secure Fabric OS Statistics	91
Resetting Secure Fabric OS Statistics	92
Managing Passwords	94
Table 16: Login Account Behavior with Secure Mode Disabled and Enabled	95
Modifying Passwords in Secure Mode	96
Modifying the FCS Switch Passwords or the Fabric-wide User Password	96
Modifying the Non-FCS Switch Admin Password	97
Using Temporary Passwords	97
Creating a Temporary Password for a Switch	98
Removing a Temporary Password from a Switch	99
Resetting the Version Number and Time Stamp	100
Adding Switches and Merging Secure Fabrics	101
Table 17: Moving Switches Between Fabrics	102
Troubleshooting	106
Table 18: Recovery Processes (Continued)	106
Frequently Asked Questions	108
General	108
Management Access	109
Digital Certificates and PKI Objects	110
Merging Fabrics	111
Passwords	111
Secure Fabric OS Commands and Secure Mode Restrictions	113
Secure Fabric OS Commands	114
Table 19: Secure Fabric OS Commands	114
Command Restrictions in Secure Mode	117
Secure Fabric OS Commands	117
Table 20: Secure Fabric OS Commands Executable on Specific Switches When Secure Mode Is Enabled	117
Zoning Commands	118
Table 21: Zoning Commands Executable on the Primary FCS Switch	118
Miscellaneous Commands	119
Table 22: Miscellaneous Commands Executable on Specific Switches	119
Removing Secure Fabric OS Capability	121
Preparing the Fabric for Removal of Secure Fabric OS Policies	122
Disabling Secure Mode	123
Deactivating the Secure Fabric OS License on Each Switch	125
Uninstalling Related Items from the Host	126

Match case Limit results 1 per page

Managing Secure Fabric OS

107

Secure Fabric OS Version 1.0 User Guide

A device listed in

the DCC policy

cannot be accessed.

Port may be

disabled.

Enter the

switchshow

command. If the port in

question is disabled, enter the

portenable

command.

A policy that has

been created is not

listed by

secpolicyshow

command.

The new policy

was not saved or

activated.

Save or activate the policy changes by entering the

secpolicysave

secpolicyactivate

command.

Incorrect policy

name used.

Verify the correct policy name was used. Policy names are

case-sensitive and must be entered all uppercase.

One or more

switches are

segmented from the

fabric.

Note:

For

instructions on

rejoining fabrics,

see the instructions

under “

Adding

Switches and

Merging Secure

Fabrics

” on

page 101.

SCC_POLICY is

excluding the

segmented

switches.

Use the

secpolicyadd

command on the Primary FCS

switch to add the switches to the SCC_POLICY.

Management

Server services

on the segmented

switches are

inconsistent with

rest of fabric.

Make the Management Server services consistent across

all switches in the fabric by enabling or disabling the

same services.

The segmented

switches are

missing PKI

objects.

Determine the status of the PKI objects by following the

procedure under “

Verifying Installation of the Digital

Certificates

” on page 38. If any objects are missing,

replace as described under “

Re-creating PKI Objects If

Required

” on page 39.

ISLs to the

segmented

switches are

interrupted or a

port failure

occurred.

Check the hardware connections and the port status for all

ISLs between the segmented switches and the fabric.

FCS policies on

the segmented

switches are not

identical to the

FCS policy of the

fabric.

If one or more switches are segmented without any FCS

switches, enter the

secmodeenable

command on a

segmented switch and specify an FCS policy that is

identical to the FCS policy of the rest of the fabric. The

segmented switch or group of switches are automatically

fastbooted.

If one or more switches are segmented with a Primary FCS

switch, modify the FCS policy as required until it is

identical to the FCS policy in the rest of the fabric.

Table 18:

Recovery Processes (Continued)

Symptom

Likely Problem

Recommended Actions