Home » HP Manuals » Storage Devices » HP StorageWorks MSA 2/8 » Manual Viewer

HP StorageWorks MSA 2/8 HP StorageWorks Secure Fabric OS V1.0 User Guide (AA-R - Page 14

Security of Management Channels, Secure Shell

View all HP StorageWorks MSA 2/8 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 14 highlights

Introducing Secure Fabric OS Security of Management Channels You can use Secure Fabric OS to increase the security of the local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, Management Server, and a supported command line interface (CLI) client such as sectelnet. You can specify the access allowed through a channel by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and Secure Shell), SNMP, Management Server, HTTP, and Application Programing Interface (API). Fabric Manager and Web Tools both use HTTP and API to access the switch. Once a digital certificate is installed on the switch, Fabric OS v2.6.1, v3.1.x, and v4.1.x all encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether Secure Fabric OS is enabled. Note: The "Telnet" button in Web Tools can be used to launch telnet only (not sectelnet or Secure Shell), and is disabled when Secure Mode is enabled. Secure Shell Fabric OS v4.1.x supports Secure Shell (SSH), which is a fully encrypted protocol for CLI. Use of SSH requires installation of a SSH client on the host computer. It does not require a digital certificate on the switch. SSH access is configurable by the Telnet policy that is available through Secure Fabric OS. However, Fabric OS v4.1.x supports SSH whether or not Secure Fabric OS is licensed. If you want to restrict CLI access over the network to SSH, disable telnet as described under "Telnet" on page 15. SSH clients are available in the public domain, and can be located by searching on the Internet. Any client that supports Version 2 of the protocol is supported, such as PuTTy or F-Secure. Fabric OS v4.1.x also supports the following ciphers for session encryption and Hash Message Authentication Codes (HMACs)-a hash function based message authentication code: ■ Ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4 ■ HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, HMACMD5-96. 14 Secure Fabric OS Version 1.0 User Guide

Section	Page
Contents	3
About this Guide	7
Overview	8
Intended Audience	8
Related Documentation	8
Conventions	9
Document Conventions	9
Table 1: Document Conventions	9
Text Symbols	9
Getting Help	11
HP Technical Support	11
HP Storage Website	11
HP Authorized Reseller	11
Introducing Secure Fabric OS	13
Security of Management Channels	14
Secure Shell	14
Sectelnet	15
Telnet	15
Switch-to-Switch Authentication Using PKI	16
Fabric Configuration Server Switches	17
Fabric Management Policy Set	19
Available Secure Fabric OS Policies	19
Adding Secure Fabric OS to the Fabric	21
Adding Secure Fabric OS to the Fabric	22
Identifying the Current Version of Fabric OS	23
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x	24
Customizing the Account Passwords	24
Verifying or Activating the Secure Fabric OS and Zoning Licenses	25
Adding Secure Fabric OS to Switches that Require Upgrading	27
Upgrading to a Compatible Version of Fabric OS	28
Customizing the Account Passwords	29
Verifying or Activating the Secure Fabric OS and Zoning Licenses	30
Installing the PKICERT Utility	30
Using the PKICERT Utility to Obtain the CSR File	31
Obtaining the Digital Certificate File	34
Distributing Digital Certificates to the Switches	35
Verifying Installation of the Digital Certificates	38
Re-creating PKI Objects If Required	39
Adding Secure Fabric OS to a Core Switch 2/64	41
Installing a Supported CLI Client on a Computer Workstation	45
Creating Secure Fabric OS Policies	47
Default Fabric and Switch Accessibility	48
Enabling Secure Mode	49
Modifying the FCS Policy	54
Table 2: FCS Policy States	54
Changing the Position of a Switch Within the FCS Policy	55
Failing over the Primary FCS Switch	56
Creating Secure Fabric OS Policies Other Than the FCS Policy	58
Table 3: Valid Methods for Specifying Policy Members	59
Creating a MAC Policy	59
Creating an SNMP Policy	60
Table 4: Read and Write Behaviors of SNMP Policies (Continued)	60
Telnet Policy	62
Table 5: Telnet Policy States	63
HTTP Policy	64
Table 6: HTTP Policy States	64
API Policy	65
Table 7: API Policy States	65
Management Server Policy	66
Table 8: Management Server Policy States	66
Serial Port Policy	67
Table 9: Serial Port Policy States	67
Front Panel Policy	68
Table 10: Front Panel Policy States	69
Creating an Options Policy	70
Table 11: Options Policy States	70
Creating a DCC Policy	71
Table 12: DCC Policy States	72
Creating an SCC Policy	74
Table 13: SCC Policy States	74
Managing Secure Fabric OS Policies	76
Saving Changes to Secure Fabric OS Policies	77
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	78
Removing a Member from a Policy	79
Deleting a Policy	80
Aborting All Uncommitted Changes	80
Aborting a Secure Fabric OS Transaction	81
Managing Secure Fabric OS	83
Viewing Secure Fabric OS-Related Information	84
Displaying General Secure Fabric OS Information About a Fabric	84
Viewing the Secure Fabric OS Policy Database	85
Displaying Individual Secure Fabric OS Policies	86
Displaying Status of Secure Mode	88
Table 14: Secure Mode Information	88
Displaying and Resetting Secure Fabric OS Statistics	90
Table 15: Secure Fabric OS Statistics (Continued)	90
Displaying Secure Fabric OS Statistics	91
Resetting Secure Fabric OS Statistics	92
Managing Passwords	94
Table 16: Login Account Behavior with Secure Mode Disabled and Enabled	95
Modifying Passwords in Secure Mode	96
Modifying the FCS Switch Passwords or the Fabric-wide User Password	96
Modifying the Non-FCS Switch Admin Password	97
Using Temporary Passwords	97
Creating a Temporary Password for a Switch	98
Removing a Temporary Password from a Switch	99
Resetting the Version Number and Time Stamp	100
Adding Switches and Merging Secure Fabrics	101
Table 17: Moving Switches Between Fabrics	102
Troubleshooting	106
Table 18: Recovery Processes (Continued)	106
Frequently Asked Questions	108
General	108
Management Access	109
Digital Certificates and PKI Objects	110
Merging Fabrics	111
Passwords	111
Secure Fabric OS Commands and Secure Mode Restrictions	113
Secure Fabric OS Commands	114
Table 19: Secure Fabric OS Commands	114
Command Restrictions in Secure Mode	117
Secure Fabric OS Commands	117
Table 20: Secure Fabric OS Commands Executable on Specific Switches When Secure Mode Is Enabled	117
Zoning Commands	118
Table 21: Zoning Commands Executable on the Primary FCS Switch	118
Miscellaneous Commands	119
Table 22: Miscellaneous Commands Executable on Specific Switches	119
Removing Secure Fabric OS Capability	121
Preparing the Fabric for Removal of Secure Fabric OS Policies	122
Disabling Secure Mode	123
Deactivating the Secure Fabric OS License on Each Switch	125
Uninstalling Related Items from the Host	126

Match case Limit results 1 per page

Introducing Secure Fabric OS

Secure Fabric OS Version 1.0 User Guide

Security of Management Channels

You can use Secure Fabric OS to increase the security of the local and remote

management channels, including Fabric Manager, Web Tools, standard SNMP

applications, Management Server, and a supported command line interface (CLI)

client such as sectelnet.

You can specify the access allowed through a channel by customizing the Secure

Fabric OS policy for that channel. Secure Fabric OS policies are available for

telnet (includes sectelnet and Secure Shell), SNMP, Management Server, HTTP,

and Application Programing Interface (API). Fabric Manager and Web Tools both

use HTTP and API to access the switch.

Once a digital certificate is installed on the switch, Fabric OS v2.6.1, v3.1.x, and

v4.1.x all encrypt sectelnet, API, and HTTP passwords automatically, regardless

of whether Secure Fabric OS is enabled.

Note:

The “Telnet” button in Web Tools can be used to launch telnet only (not sectelnet

or Secure Shell), and is disabled when Secure Mode is enabled.

Secure Shell

Fabric OS v4.1.x supports Secure Shell (SSH), which is a fully encrypted protocol

for CLI. Use of SSH requires installation of a SSH client on the host computer. It

does not require a digital certificate on the switch.

SSH access is configurable by the Telnet policy that is available through Secure

Fabric OS. However, Fabric OS v4.1.x supports SSH whether or not Secure Fabric

OS is licensed.

If you want to restrict CLI access over the network to SSH, disable telnet as

described under “

Telnet

” on page 15.

SSH clients are available in the public domain, and can be located by searching on

the Internet. Any client that supports Version 2 of the protocol is supported, such

as PuTTy or F-Secure.

Fabric OS v4.1.x also supports the following ciphers for session encryption and

Hash Message Authentication Codes (HMACs)—a hash function based message

authentication code:

■

Ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4

■

HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, HMACMD5-96.