HP 8/20q HP StorageWorks 8/20q Fibre Channel Switch installation and reference - Page 24
Connection security, User account security
View all HP 8/20q manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 24 highlights
Fabric security consists of the following: • Connection security, page 24 • User account security, page 24 • Port binding, page 25 • Device security, page 25 Connection security Connection security provides an encrypted data path for switch management methods. The switch supports the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol for management applications such as QuickTools and SMI-S. Use the CLI to configure SSH and SSL. For more information about SSH and SSL configuration, see the HP StorageWorks 8/20q Fibre Channel Switch command line interface guide. The SSL handshake process between the workstation and the switch involves the exchanging of certificates. These certificates contain the public and private keys that define the encryption. When the SSL service is enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate by comparing the workstation date and time to the switch certificate creation date and time. For this reason, it is important to synchronize the workstation and switch with the same date, time, and time zone. The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the certificate should become invalid, create a new certificate using the create certificate CLI command. For information about the create certificate CLI command, see the HP StorageWorks 8/20q Fibre Channel Switch command line interface guide. NOTE: Simple SAN Connection Manager version 1.0 does not support the SSL service. If SSL is enabled, you will be unable to manage the switch using this version of Simple SAN Connection Manager. Consider your requirements for connection security: for the command line interface (SSH), management applications (SSL), or both. If an SSL connection security is required, also consider using the Network Time Protocol (NTP) to synchronize workstations and switches. User account security User account security consists of the administration of account names, passwords, expiration date, and authority level. If an account has Admin authority, all management tasks can be performed by that account in the CLI, QuickTools, and Simple SAN Connection Manager. Otherwise only monitoring tasks are available. The default account name, Admin, is the only account that can create or add account names and change passwords of other accounts. All users can change their own passwords. Account names and passwords are always required when connecting to a switch. Authentication of the user account and password can be performed locally using the switch's user account database or it can be done remotely using a RADIUS server such as Microsoft RADIUS. Authenticating user logins on a RADIUS server requires a secure management connection to the switch. For information about securing the management connection, see "Connection security" on page 24. A RADIUS server can also be used to authenticate devices and other switches as described in "Device security" on page 25. Consider your management needs and determine the number of user accounts, their authority needs, and expiration dates. Also consider the advantages of centralizing user administration and authentication on a RADIUS server. Use the CLI to configure RADIUS servers. For more informaton about RADIUS server configuration, see the HP StorageWorks 8/20q Fibre Channel Switch command line interface guide. NOTE: If the same user account exists on a switch and its RADIUS server, that user can login with either password, but the authority and account expiration will always come from the switch database. 24