HP AE370A HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 20 - Page 130
Switch A, Switch B, Local secret A, Peer secret B, Local secret B, Peer secret
UPC - 882780362611
View all HP AE370A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 130 highlights
configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have to be installed. NOTE: The fabric authentication feature is available in base Fabric OS. No license is required. You can configure a switch with Fabric OS 5.3.0 or later to use DH-CHAP for device authentication. Use the authUtil command to configure the authentication parameters used by the switch. When you configure DH-CHAP authentication, you also must define a pair of shared secrets known to both switches as a secret key pair. A secret key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every switch can share a secret key pair with any other switch or host in a fabric. Figure 4 on page 128 illustrates how the secrets are configured. To use DH-CHAP authentication, a secret key pair has to be configured on both switches. You can use the command authUtil --set -a to set the authentication protocol, which can then be verified using the command authUtil --show CLI. NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with the SLAP protocol, which was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, and 2.6.x. Fabric OS 6.2.0 switch-to-switch authentication implementation is fully backward compatible with 3.2.0, 4.2.0, 4.4.0, 5.0.0, 5.1.0, 5.2.0, and 5.3.0. Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair is used for authentication. Authentication occurs whenever there is a state change for the switch or port due to a switch reboot, a switch or port disable and enable, or the activation of a policy. Key database on switch Local secret A Peer secret B Key database on switch Local secret B Peer secret A Switch A Figure 4 DH-CHAP authentication Switch B If you use DH-CHAP authentication, a secret key pair must be installed only in connected fabric elements. However, as connections are changed, new secret key pairs must be installed between newly connected elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection. The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy is persistent across reboots, which means authentication will be initiated automatically on ports or switches brought online if the policy is set to activate authentication. The AUTH policy is distributed using the distribute command; automatic distribution of the AUTH policy is not supported. The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The switch may be configured to negotiate FCAP, DH-CHAP, or both. The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group information, but does not use it. 128 Configuring advanced security features