HP 8/20q HP StorageWorks 8/20q Fibre Channel Switch installation and reference - Page 24

24

Fabric security consists of the following:

•

Connection security

, page 24

•

User account security

, page 24

•

Port binding

, page 25

•

Device security

, page 25

Connection security

Connection security provides an encrypted data path for switch management methods. The switch supports

the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol

for management applications such as QuickTools and SMI-S. Use the CLI to configure SSH and SSL. For

more information about SSH and SSL configuration, see the

HP StorageWorks 8/20q Fibre Channel

Switch command line interface guide

.

The SSL handshake process between the workstation and the switch involves the exchanging of certificates.

These certificates contain the public and private keys that define the encryption. When the SSL service is

enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate

by comparing the workstation date and time to the switch certificate creation date and time. For this

reason, it is important to synchronize the workstation and switch with the same date, time, and time zone.

The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the

certificate should become invalid, create a new certificate using the

create certificate

CLI

command. For information about the

create certificate

CLI command, see the

HP StorageWorks

8/20q Fibre Channel Switch command line interface guide

.

NOTE:

Simple SAN Connection Manager version 1.0 does not support the SSL service.

If SSL is enabled,

you will be unable to manage the switch using this version of Simple SAN Connection Manager.

Consider your requirements for connection security: for the command line interface (SSH), management

applications (SSL), or both. If an SSL connection security is required, also consider using the Network Time

Protocol (NTP) to synchronize workstations and switches.

User account security

User account security consists of the administration of account names, passwords, expiration date, and

authority level. If an account has Admin authority, all management tasks can be performed by that account

in the CLI, QuickTools, and Simple SAN Connection Manager. Otherwise only monitoring tasks are

available. The default account name, Admin, is the only account that can create or add account names

and change passwords of other accounts. All users can change their own passwords. Account names and

passwords are always required when connecting to a switch.

Authentication of the user account and password can be performed locally using the switch’s user account

database or it can be done remotely using a RADIUS server such as Microsoft RADIUS. Authenticating user

logins on a RADIUS server requires a secure management connection to the switch. For information about

securing the management connection, see ”

Connection security

” on page 24. A RADIUS server can also

be used to authenticate devices and other switches as described in ”

Device security

” on page 25.

Consider your management needs and determine the number of user accounts, their authority needs, and

expiration dates. Also consider the advantages of centralizing user administration and authentication on a

RADIUS server. Use the CLI to configure RADIUS servers. For more informaton about RADIUS server

configuration, see the

HP StorageWorks 8/20q Fibre Channel Switch command line interface guide

.

NOTE:

If the same user account exists on a switch and its RADIUS server, that user can login with either

password, but the authority and account expiration will always come from the switch database.

HP 8/20q HP StorageWorks 8/20q Fibre Channel Switch installation and reference - Page 24

Connection security, User account security

Page 24 highlights

Section	Page
Contents	3
About this guide	7
Intended audience	7
Related documentation	7
Document conventions and symbols	8
Table 1 Document conventions	8
Rack stability	9
HP technical support	9
Customer self repair	9
Product warranties	9
Subscription service	9
HP web sites	10
Documentation feedback	10
General description	11
Figure 1 8/20q Fibre Channel Switch	11
Switch LEDs and controls	12
Figure 2 Switch LEDs and controls	12
Input power LED (green)	12
Heartbeat LED (green)	12
System fault LED (amber)	12
Maintenance button	13
Resetting a switch	13
Placing the switch in maintenance mode	13
Fibre Channel ports	14
Figure 3 Fibre Channel ports	14
Port LEDs	14
Figure 4 Port LEDs	14
Port Logged-in LED (green)	14
Port Activity LED (green)	14
Transceivers	15
Port types	15
Ethernet port	15
Figure 5 Ethernet port	15
Serial port	16
Figure 6 Serial port and pin identification	16
Table 2 Serial port pin identification	16
Power supply and fans	16
Switch management	17
QuickTools web applet	17
Simple SAN Connection Manager	17
Command line interface	17
Simple Network Management Protocol	17
Storage Management Initiative-Specification (SMI-S)	17
File transfer protocols	17
Planning	19
Devices	19
Device access	19
Table 3 Zoning database limits	20
Performance	20
Distance	20
Bandwidth	20
Latency	21
Table 4 Port-to-port latency	21
Feature licenses	21
Multiple switch fabrics	21
Optimizing device performance	21
Domain ID, principal priority, and domain ID lock	22
Common topologies	22
Switch services	22
Fabric security	23
Connection security	24
User account security	24
Port binding	25
Device security	25
Fabric management	26
Installation	27
Site requirements	27
Management Station and Workstation requirements	27
Table 5 Management station requirements for Simple SAN Connection Manager	27
Table 6 Workstation requirements for QuickTools	28
Switch power requirements	28
Environmental conditions	28
Installing a switch	28
Mount the switch	29
Before you begin	29
Collect the required items	30
Verify the kit contents	30
Table 7 8/20q Fibre Channel Switch rack mount kit hardware	30
Rack the switch	31
Figure 7 Attaching the rails to the switch	31
Figure 8 Installing the rear mounting brackets	31
Figure 9 Installing the switch and rail assembly	31
Figure 10 Fastening the rail to the front of the rack	32
Figure 11 Fastening the rail to the rear mounting bracket	32
Figure 12 Installing the filler panel	32
Install the transceivers	33
Configure the workstation	33
Configuring the workstation IP address for Ethernet connections	33
Configuring the workstation serial port	33
Apply power to the switch	34
Connect the management station or workstation to the switch	35
Figure 13 Management station and workstation cable connections	35
Configure the switch	35
Simple SAN Connection Manager switch configuration	35
QuickTools switch configuration	35
CLI switch configuration	36
Cable devices to the switch	36
Installing firmware	36
Using QuickTools to install firmware	37
Using the CLI to install firmware	37
One-step firmware installation	38
Custom firmware installation	39
Adding a switch to an existing fabric	39
Installing feature license keys	40
Diagnostics and troubleshooting	41
Switch diagnostics	41
Figure 14 Switch LEDs	41
Input power LED is extinguished	41
System fault LED is illuminated	42
Power-On self test diagnostics	42
Heartbeat LED blink patterns	42
Internal firmware failure blink pattern	42
Fatal POST error blink pattern	43
Configuration file system error blink pattern	43
Over-temperature blink pattern	43
Logged-in LED indications	44
Figure 15 Logged-in LED	44
E_Port isolation	44
Excessive port errors	45
Recovering a switch using maintenance mode	46
Exiting the maintenance menu (option 0)	47
Unpacking a firmware image file in maintenance mode (option 1)	47
Resetting the network configuration in maintenance mode (option 2)	47
Resetting user accounts in maintenance mode (option 3)	47
Copying log files in maintenance mode (option 4)	48
Removing the switch configuration in maintenance mode (option 5)	48
Remaking the file system in maintenance mode (option 6)	48
Resetting the switch in maintenance mode (option 7)	48
Updating the boot loader in maintenance mode (option 8)	48
Regulatory compliance and safety	49
Regulatory compliance	49
Federal Communications Commission notice for Class A equipment	49
Cables	49
Laser device	49
Laser safety warning	49
Certification and classification information	50
Laser product label	50
Figure 16 Class 1 laser product label	50
International notices and statements	50
Canadian notice (avis Canadien)	50
European Union regulatory notice	51
Japanese notice	51
Korean notice	51
Taiwan notice	51
Electrostatic discharge	53
How to prevent electrostatic discharge	53
Grounding methods	53
Technical specifications	55
General specifications	55
Table 8 General specifications	55
Maintainability features	56
Table 9 Maintainability features	56
Fabric management specifications	57
Table 10 Fabric management specifications	57
Weight and physical dimensions	57
Table 11 Switch physical dimensions	57
Electrical specifications	57
Table 12 Electrical specifications	57
Environmental requirements	58
Table 13 Environmental requirements	58
Factory configuration defaults	59
Factory switch configuration	59
Table 14 Switch configuration defaults	59
Factory port configuration	60
Table 15 Port configuration defaults	60
Factory port threshold alarm configuration	61
Table 16 Port threshold alarm configuration defaults	61
Factory zoning configuration	61
Table 17 Zoning configuration defaults	61
Factory SNMP configuration	62
Table 18 SNMP configuration defaults	62
Factory switch services configuration	62
Table 19 Services configuration defaults	62
Factory system configuration	63
Table 20 System configuration defaults	63
Factory RADIUS configuration	63
Table 21 RADIUS configuration defaults	63
Factory security configuration	64
Table 22 Security configuration defaults	64
Factory Call Home configuration	64
Table 23 Call Home service configuration defaults	64
Glossary	65
Index	69
Numerics	69
A	69
B	69
C	69
D	69
E	69
F	69
G	70
H	70
I	70
L	70
M	70
N	70
O	70
P	70
Q	70
R	71
S	71
T	71
U	71
V	71
W	71