Home » HP Manuals » Storage Devices » HP StorageWorks MSA 2/8 » Manual Viewer

HP StorageWorks MSA 2/8 HP StorageWorks Secure Fabric OS V1.0 User Guide (AA-R - Page 76

Managing Secure Fabric OS Policies, the Active Security Policy Set.

View all HP StorageWorks MSA 2/8 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 76 highlights

Creating Secure Fabric OS Policies Managing Secure Fabric OS Policies All Secure Fabric OS transactions can be performed through the Primary FCS switch only, except for sectransabort, secfcsfailover, secstatsreset, and secstatsshow. You can create multiple sessions to the Primary FCS switch, from one or more hosts. However, the software allows only one Secure Fabric OS transaction at a time. If a second Secure Fabric OS transaction is started, it fails. The only secondary transaction that can succeed is the sectransabort command. All policy modifications are saved only in volatile memory until you save or activate the changes. You can perform the following functions on existing Secure Fabric OS policies: ■ Saving Changes to Secure Fabric OS Policies, page 77 Save changes to flash memory without actually implementing the changes within the fabric. This saved but inactive information is known as the Defined Security Policy Set. ■ Activating Changes to Secure Fabric OS Policies, page 77 Simultaneously save and implement all the policy changes you have made since the last time you activated changes. The activated policies are known as the Active Security Policy Set. ■ Adding a Member to an Existing Policy, page 78 Add one or more members to a policy. Once the policy has at least one member, that aspect of the fabric becomes closed to access by all devices/switches that are not listed in that policy. ■ Removing a Member from a Policy, page 79 Remove one or more members from a policy. If you remove all the members from a policy, that aspect of the fabric becomes closed to all access. You cannot remove the last member from the FCS_POLICY, because a Primary FCS switch must be designated. ■ Deleting a Policy, page 80 Delete an entire policy. However, keep in mind that doing so opens up that aspect of the fabric to all access. ■ Aborting All Uncommitted Changes, page 80 Abort all the changes to the Secure Fabric OS policies since the last time changes were saved or activated. 76 Secure Fabric OS Version 1.0 User Guide

Section	Page
Contents	3
About this Guide	7
Overview	8
Intended Audience	8
Related Documentation	8
Conventions	9
Document Conventions	9
Table 1: Document Conventions	9
Text Symbols	9
Getting Help	11
HP Technical Support	11
HP Storage Website	11
HP Authorized Reseller	11
Introducing Secure Fabric OS	13
Security of Management Channels	14
Secure Shell	14
Sectelnet	15
Telnet	15
Switch-to-Switch Authentication Using PKI	16
Fabric Configuration Server Switches	17
Fabric Management Policy Set	19
Available Secure Fabric OS Policies	19
Adding Secure Fabric OS to the Fabric	21
Adding Secure Fabric OS to the Fabric	22
Identifying the Current Version of Fabric OS	23
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x	24
Customizing the Account Passwords	24
Verifying or Activating the Secure Fabric OS and Zoning Licenses	25
Adding Secure Fabric OS to Switches that Require Upgrading	27
Upgrading to a Compatible Version of Fabric OS	28
Customizing the Account Passwords	29
Verifying or Activating the Secure Fabric OS and Zoning Licenses	30
Installing the PKICERT Utility	30
Using the PKICERT Utility to Obtain the CSR File	31
Obtaining the Digital Certificate File	34
Distributing Digital Certificates to the Switches	35
Verifying Installation of the Digital Certificates	38
Re-creating PKI Objects If Required	39
Adding Secure Fabric OS to a Core Switch 2/64	41
Installing a Supported CLI Client on a Computer Workstation	45
Creating Secure Fabric OS Policies	47
Default Fabric and Switch Accessibility	48
Enabling Secure Mode	49
Modifying the FCS Policy	54
Table 2: FCS Policy States	54
Changing the Position of a Switch Within the FCS Policy	55
Failing over the Primary FCS Switch	56
Creating Secure Fabric OS Policies Other Than the FCS Policy	58
Table 3: Valid Methods for Specifying Policy Members	59
Creating a MAC Policy	59
Creating an SNMP Policy	60
Table 4: Read and Write Behaviors of SNMP Policies (Continued)	60
Telnet Policy	62
Table 5: Telnet Policy States	63
HTTP Policy	64
Table 6: HTTP Policy States	64
API Policy	65
Table 7: API Policy States	65
Management Server Policy	66
Table 8: Management Server Policy States	66
Serial Port Policy	67
Table 9: Serial Port Policy States	67
Front Panel Policy	68
Table 10: Front Panel Policy States	69
Creating an Options Policy	70
Table 11: Options Policy States	70
Creating a DCC Policy	71
Table 12: DCC Policy States	72
Creating an SCC Policy	74
Table 13: SCC Policy States	74
Managing Secure Fabric OS Policies	76
Saving Changes to Secure Fabric OS Policies	77
Activating Changes to Secure Fabric OS Policies	77
Adding a Member to an Existing Policy	78
Removing a Member from a Policy	79
Deleting a Policy	80
Aborting All Uncommitted Changes	80
Aborting a Secure Fabric OS Transaction	81
Managing Secure Fabric OS	83
Viewing Secure Fabric OS-Related Information	84
Displaying General Secure Fabric OS Information About a Fabric	84
Viewing the Secure Fabric OS Policy Database	85
Displaying Individual Secure Fabric OS Policies	86
Displaying Status of Secure Mode	88
Table 14: Secure Mode Information	88
Displaying and Resetting Secure Fabric OS Statistics	90
Table 15: Secure Fabric OS Statistics (Continued)	90
Displaying Secure Fabric OS Statistics	91
Resetting Secure Fabric OS Statistics	92
Managing Passwords	94
Table 16: Login Account Behavior with Secure Mode Disabled and Enabled	95
Modifying Passwords in Secure Mode	96
Modifying the FCS Switch Passwords or the Fabric-wide User Password	96
Modifying the Non-FCS Switch Admin Password	97
Using Temporary Passwords	97
Creating a Temporary Password for a Switch	98
Removing a Temporary Password from a Switch	99
Resetting the Version Number and Time Stamp	100
Adding Switches and Merging Secure Fabrics	101
Table 17: Moving Switches Between Fabrics	102
Troubleshooting	106
Table 18: Recovery Processes (Continued)	106
Frequently Asked Questions	108
General	108
Management Access	109
Digital Certificates and PKI Objects	110
Merging Fabrics	111
Passwords	111
Secure Fabric OS Commands and Secure Mode Restrictions	113
Secure Fabric OS Commands	114
Table 19: Secure Fabric OS Commands	114
Command Restrictions in Secure Mode	117
Secure Fabric OS Commands	117
Table 20: Secure Fabric OS Commands Executable on Specific Switches When Secure Mode Is Enabled	117
Zoning Commands	118
Table 21: Zoning Commands Executable on the Primary FCS Switch	118
Miscellaneous Commands	119
Table 22: Miscellaneous Commands Executable on Specific Switches	119
Removing Secure Fabric OS Capability	121
Preparing the Fabric for Removal of Secure Fabric OS Policies	122
Disabling Secure Mode	123
Deactivating the Secure Fabric OS License on Each Switch	125
Uninstalling Related Items from the Host	126

Match case Limit results 1 per page

Creating Secure Fabric OS Policies

Secure Fabric OS Version 1.0 User Guide

Managing Secure Fabric OS Policies

All Secure Fabric OS transactions can be performed through the Primary FCS

switch only, except for

sectransabort

secfcsfailover

secstatsreset

, and

secstatsshow

You can create multiple sessions to the Primary FCS switch, from one or more

hosts. However, the software allows only one Secure Fabric OS transaction at a

time. If a second Secure Fabric OS transaction is started, it fails. The only

secondary transaction that can succeed is the

sectransabort

command.

All policy modifications are saved only in volatile memory until you save or

activate the changes.

You can perform the following functions on existing Secure Fabric OS policies:

■

Saving Changes to Secure Fabric OS Policies

, page 77

Save changes to flash memory without actually implementing the changes

within the fabric. This saved but inactive information is known as the Defined

Security Policy Set.

■

Activating Changes to Secure Fabric OS Policies

, page 77

Simultaneously save and implement all the policy changes you have made

since the last time you activated changes. The activated policies are known as

the Active Security Policy Set.

■

Adding a Member to an Existing Policy

, page 78

Add one or more members to a policy. Once the policy has at least one

member, that aspect of the fabric becomes closed to access by all

devices/switches that are not listed in that policy.

■

Removing a Member from a Policy

, page 79

Remove one or more members from a policy. If you remove all the members

from a policy, that aspect of the fabric becomes closed to all access.

You cannot remove the last member from the FCS_POLICY, because a

Primary FCS switch must be designated.

■

Deleting a Policy

, page 80

Delete an entire policy. However, keep in mind that doing so opens up that

aspect of the fabric to all access.

■

Aborting All Uncommitted Changes

, page 80

Abort all the changes to the Secure Fabric OS policies since the last time

changes were saved or activated.