Home » HP Manuals » Hubs & Switches » HP AE370A » Manual Viewer

HP AE370A HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March - Page 74

Programs > Administrative Tools > Local Security

UPC - 882780362611

Add to My Manuals
Save this manual to your list of manuals

Page 74 highlights

Each user group should be associated with a specific switch login role. For example, you should configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose logins you want to associate to the appropriate group. • Configuring the server To enable CHAP: 1. From the Windows Start menu, select Programs > Administrative Tools > Local Security Policy to open the Local Security Settings window. 2. In the Local Security Settings window, expand the Account Policies folder and select the Password Policy folder. 3. From the list of policies in the Password Policy folder, right-click Store password using reversible encryption for all users in the domain, and select Security from the pop-up menu. 4. An additional Local Security Settings window appears. Click the Enabled radio button and then click OK. To configure users: 1. From the Windows Start menu, select Programs > Administrative Tools > Computer Management to open the Computer Management window. 2. In the Computer Management window, expand the Local Users and Groups folder and select the Groups folder. 3. Right-click the Groups folder and select New Group from the pop-up menu. 4. In the New Group window, provide a Name and Description for the group and click Add. 5. In the Select Users or Groups window, select the user (who should already have been configured) you want to add to the group and click Add. 6. Repeat this for every user you want to add. When you have completed adding all users, click OK. 7. In the New Group window, verify the users you added in step 4 appear in the Members field; then click Create to create this group. The new groups are created for each login type (admin, switchAdmin, user). To configure the RADIUS server: 1. From the Windows Start menu, select Programs > Administrative Tools > Internet Authentication Service to open the Internet Authentication Service window. 2. In the Internet Authentication Service window, right-click the Clients folder and select New Client from the pop-up menu. A client is the device that uses the RADIUS server; in this case, it is the switch. 3. In the Add Client window, provide the following: Friendly name-The friendly name should be an alias that is easily recognizable as the switch to which you are connecting. Protocol-Select RADIUS as the protocol. 4. In the Add RADIUS Client window, provide the following: Client address (IP or DNS)-Enter the IP address of the switch. Client-Vendor-Select RADIUS Standard. Shared secret-Provide a password. Shared secret is a password used between the client device and server to prevent IP address spoofing by unwanted clients. Keep your shared secret password in a safe place. You will need to enter this password in the switch configuration. After clicking Finish, repeat step 2 through step 4 for all switches on which RADIUS authentication will be used. 5. In the Internet Authentication Service window, right-click the Remote Access Policies folder; then select New Remote Access Policy from the pop-up window. A remote access policy must be created for each login role (Root, Admin, Factory, SwitchAdmin, and User) for which you want to use RADIUS. Apply this policy to the user groups that you already created. 72 Managing user accounts

Section	Page
Contents	3
Supported Fabric OS 6.x HP StorageWorks hardware	19
Table 1 Switch model naming matrix	19
Intended audience	20
Related documentation	20
Document conventions and symbols	20
Table 2 Document conventions	20
Rack stability	21
HP technical support	21
Customer self repair	21
Product warranties	21
Subscription service	22
HP websites	22
Documentation feedback	22
Standard features	23
Overview	23
Using the CLI	23
Connecting to the CLI	24
Using Telnet or SSH session	24
Using a console session on the serial port	25
Changing passwords	25
Table 3 Default administrative account names and passwords	26
Changing default account passwords at login	26
Configuring the Ethernet interface	27
Displaying the network interface settings	27
Setting static Ethernet addresses	28
Configuring DHCP	29
Enabling DHCP	29
Disabling DHCP	29
Setting the date and time	30
Setting time zones	30
Synchronizing local time using NTP	32
Customizing switch names	33
Working with Domain IDs	33
Licensed features	34
Generating a license key	35
Activating a license key	35
Removing a licensed feature	36
Features and required licenses	37
Table 4 License requirements	37
Inter-Chassis Link (ICL) licensing	38
Time-based licenses	39
High Availability considerations	39
Firmware upgrade and downgrade consideration	39
Configupload and Configdownload considerations	39
Expired licenses	39
Ports on Demand (POD) licensing	39
Activating POD	40
Configuring Dynamic Ports on Demand	40
How ports are assigned to licenses	40
Displaying the port license assignment	41
Activating Dynamic Ports on Demand	41
Disabling Dynamic Ports on Demand	42
Managing POD licenses	42
Reserving a license	42
Releasing a port	43
Disabling and enabling switches	44
Disabling and enabling ports	44
Making basic connections	45
Connecting to devices	45
Connecting to other switches	45
Linking through a gateway	45
Checking status	46
Tracking and controlling switch changes	48
Configuring the audit log	50
Auditable event classes	51
Table 5 AuditCfg event class operands	51
Shutting down switches and Directors	53
High Availability of daemon processes	53
Table 6 Daemons that are automatically restarted	54
Managing user accounts	55
Overview	55
Accessing the management channel	55
Table 7 Maximum number of simultaneous sessions	55
Using Role-Based Access Control (RBAC)	56
Table 8 Fabric OS 6.x roles	56
Role permissions	57
Table 9 Permission types	57
Table 10 RBAC permissions matrix	57
Managing the local database user accounts	59
About the default accounts	59
Table 11 Default local user accounts	59
Defining local user accounts	59
Recovering accounts	62
Changing local account passwords	62
Configuring the local user database	63
Distributing the local user database	63
Protecting the local user database from distributions	63
Configuring password policies	64
Setting the password strength policy	64
Setting the password history policy	65
Setting the password expiration policy	65
Upgrade and downgrade considerations	66
Setting the account lockout policy	66
Denial of service implications	67
Authentication model	67
Table 12 Authentication configuration options	68
Creating Fabric OS user accounts	69
Table 13 Syntax for VSA-based account roles	69
Managing Fabric OS users on the RADIUS server	70
Windows 2000 IAS	70
Linux FreeRadius server	71
Table 14 dictionary.brocade file entries	71
RADIUS configuration and Admin Domains	71
Configuring the RADIUS server	72
Linux	72
Windows 2000	73
LDAP configuration and Microsoft’s Active Directory	75
Configuring authentication servers on the switch	77
Enabling and disabling local authentication as backup	80
Boot PROM password	80
Setting the boot PROM password with a recovery string	81
HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router	81
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)	82
Setting the boot PROM password without a recovery string	83
HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router	83
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)	83
Recovering forgotten passwords	84
Configuring standard security features	85
Secure protocols	85
Table 15 Secure protocol support	85
Table 16 Items needed to deploy secure protocols	85
Table 17 Main security scenarios	86
Ensuring network security	86
Configuring the Telnet protocol	87
Blocking Telnet	87
Unblocking Telnet	87
Blocking listeners	88
Table 18 Blocked listener applications	88
Accessing switches and fabrics	88
Table 19 Access defaults	88
Port configuration	89
Configuring for the SSL protocol	89
Browser and Java support	89
Summary of SSL procedures	90
Table 20 SSL certificate files	90
Choosing a CA	90
Generating a public/private key	90
Generating and storing a CSR	91
Obtaining certificates	91
Installing a switch certificate	92
Activating a switch certificate	92
Configuring the browser	93
Installing a root certificate to the Java plug-in	93
Displaying and deleting certificates	94
Table 21 Commands for displaying and deleting SSL certificates	94
Troubleshooting certificates	94
Table 22 SSL messages and actions	94
Configuring for SNMP	95
Setting the security level	95
Using the snmpConfig command	96
Configuring secure file copy	98
Configuring advanced security features	99
About access control list (ACL) policies	99
How the ACL policies are stored	99
Table 23 Security database size restrictions	99
Identifying policy members	100
Table 24 Valid methods for specifying policy members	100
Configuring ACL policies	100
Displaying ACL policies	101
Configuring an FCS policy	101
Table 25 FCS policy states	101
FCS policy restrictions	102
Table 26 Switch operations	102
Overview of steps to create and manage the FCS policies	103
Modifying the Primary FCS	103
Distributing an FCS policy	104
Table 27 Distribution policy states	105
Configuring a DCC policy	105
Table 28 DCC policy states	105
DCC policy restrictions	105
Creating a DCC policy	106
Examples of creating DCC policies	107
Creating an SCC policy	107
Table 29 SCC policy states	107
Saving changes to ACL policies	108
Activating changes to ACL policies	108
Adding a member to an existing policy	108
Removing a member from an ACL policy	109
Deleting an ACL policy	109
Aborting all uncommitted changes	109
Configuring the authentication policy for fabric elements	109
Figure 1 DH-CHAP authentication	110
E_Port authentication	110
Device authentication policy	112
Auth policy restrictions	112
Supported configurations	112
Selecting authentication protocols	113
Re-authenticating ports	113
Managing secret key pairs	114
Fabric wide distribution of the Auth policy	115
Accept distributions configuration parameter	116
IP Filter policy	116
Creating an IP Filter policy	116
Cloning an IP Filter policy	116
Displaying an IP Filter policy	117
Saving an IP Filter policy	117
Activating an IP Filter policy	117
Deleting an IP Filter policy	118
IP Filter policy rules	118
Table 30 Supported services	118
Table 31 Implicit IP Filter rules	119
Table 32 Default IP policy rules	119
IP Filter policy enforcement	119
Creating IP Filter policy rules	120
Deleting IP Filter policy rules	120
Aborting a switch session transaction	120
IP Filter policy distributions	121
IP Filter policy restrictions	121
Distributing the policy database	121
Table 33 Interaction between fabric-wide consistency policy and distribution settings	122
Configuring the database distribution settings	122
Table 34 Supported policy databases	122
Distributing ACL policies to other switches	123
Table 35 ACL policy database distribution behavior	124
Setting the consistency policy fabric-wide	124
Table 36 Fabric-wide consistency policy settings	124
Notes on joining a switch to the fabric	125
Matching fabric-wide consistency policies	126
Table 37 Merging fabrics with matching fabric-wide consistency policies	126
Non-matching fabric-wide consistency policies	127
Table 38 Examples of strict fabric merges	127
Table 39 Fabric merges with tolerant/absent combinations	127
FIPS support	127
Zeroization functions	128
Table 40 Zeroization behavior	128
Power-up self tests	128
Conditional tests	129
FIPS mode	130
Table 41 FIPS mode restrictions	130
Preparing the switch for FIPS	131
Overview of steps	131
Maintaining configurations	135
Maintaining consistent configuration settings	135
Displaying configuration settings	135
Backing up a configuration	135
Troubleshooting configuration upload	136
Restoring switch information	137
Table 42 CLI commands to display switch configuration information	137
Restoring a configuration	137
Configuration download without disabling a switch	137
Security considerations	139
Troubleshooting configuration download	139
Messages captured in the logs	140
Restoring configurations in a FICON environment	140
Table 43 Backup and restore in a FICON CUP environment	140
Downloading configurations across a fabric	140
Configuration form	141
Table 44 Configuration and connection information	141
Managing administrative domains	143
Figure 2 Fabric with two Admin Domains	144
Figure 3 Filtered fabric views	144
Admin Domain features	145
Requirements for Admin Domains	145
User-defined Administrative Domains	145
System-defined Administrative Domains	145
AD0	146
AD255	146
Figure 4 Fabric with AD0 and AD255	147
Admin Domain access levels	147
Table 45 AD user types	147
Admin Domains and login	148
Admin Domain member types	148
Device members	148
Switch port members	149
Switch members	149
Admin Domains and switch WWN	149
Figure 5 Fabric showing switch and device WWNs	150
Figure 6 Filtered fabric views showing converted switch WWNs	150
Admin Domain compatibility and availability	150
Admin Domains and merging	150
Compatibility	151
Figure 7 Isolated subfabrics	151
Firmware upgrade and downgrade scenarios	151
Managing Admin Domains	151
Understanding the AD transaction model	152
Implementing Admin Domains	152
Creating an Admin Domain	153
Assigning a user to an Admin Domain	154
Activating and deactivating Admin Domains	155
Adding and removing Admin Domain members	156
Renaming an Admin Domain	156
Deleting an Admin Domain	157
Deleting all user-defined Admin Domains	157
Validating an Admin Domain member list	158
Using Admin Domains	158
Using CLI commands in an AD context	158
Table 46 Ports and devices in CLI output	159
Executing a command in a different AD context	159
Displaying an Admin Domain configuration	159
Switching to a different Admin Domain context	160
Performing zone validation	160
Admin Domain interactions	160
Table 47 Admin Domain interaction with Fabric OS features	161
Admin Domains, zones, and zone databases	162
Admin Domains and LSAN zones	162
Configuration upload and download in an AD context	163
Table 48 Configuration upload and download scenarios in an AD context	163
Installing and maintaining firmware	165
About the firmware download process	165
Upgrading and downgrading firmware	166
Effects of firmware changes on accounts and passwords	166
Table 49 Effects of firmware changes on accounts and passwords	166
Considerations for FICON CUP environments	166
Preparing for firmware downloads	167
Checking connected switches	168
Table 50 Recommended firmware	168
Obtaining and decompressing firmware	169
Performing firmwareDownload on switches	169
Overview of the firmware download process on switches	169
HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 MP Router, and firmware download	170
Downloading firmware to a Director	171
Overview of the firmware download process on directors	172
4/256 SAN Director and DC Director firmwareDownload procedure	172
Director restrictions for downgrading	175
firmwaredownload from a USB device	176
FIPS Support	177
Public and private key management	177
The firmwareDownload command	178
Power-on firmware checksum test	179
Testing and restoring firmware on switches	179
Testing and restoring firmware on directors	180
Validating firmwareDownload	183
Troubleshooting firmwareDownload	184
Considerations for downgrading firmware to Fabric OS 5.3.0 or earlier	184
Preinstallation messages	185
Blade troubleshooting tips	191
Configuring Directors	193
Changing a Director’s name	193
Identifying ports	193
Director port numbering schemes	194
Table 51 Port numbering schemes for the 4/256 Director and DC Director	194
By slot and port number	194
By port area ID	194
By index	194
Table 52 Default index/area_ID core PID assignment with no port swap	195
Basic blade management	196
Powering port blades off and on	196
Disabling and enabling port blades	197
FR4-18i blade exceptions	197
FC4-48 and FC8-48 blade exceptions	198
Conserving power	198
Blade terminology and compatibility	199
Table 53 Director terminology and abbreviations	199
CP blades	199
Core blades	200
Port blade compatibility	200
Table 54 Port blades supported by each Director	200
Setting chassis configuration options for the 4/256 Director	200
Table 55 Supported configuration options	200
Table 56 Chassis configuration options	201
Obtaining slot information	201
Routing traffic	203
About data routing and routing policies	203
Specifying the routing policy	203
Assigning a static route	204
Specifying frame order delivery	204
Using dynamic load sharing	205
Viewing routing path information	206
Viewing routing information along a path	208
Using the FC-FC routing service	211
Supported platforms	211
Supported configurations	211
Fibre Channel routing concepts	211
Figure 8 A metaSAN with interfabric links	212
Figure 9 A metaSAN with edge-to-edge and backbone fabrics	213
Figure 10 Edge SANs connected through a backbone fabric	214
Proxy devices	214
Figure 11 MetaSAN with imported devices	215
Routing types	215
Fibre Channel NAT and phantom domains	215
Setting up the FC-FC routing service	216
Performing verification checks	217
Assigning backbone fabric IDs	218
Configuring FCIP tunnels (optional)	219
Configuring FC-FC routing to work with Secure Fabric OS (optional)	219
Configuring DH-CHAP secret	220
Configuring an interfabric link	221
portCfgExport options	223
Configuring the FC router port cost (optional)	226
Using router port cost	227
Upgrade, downgrade, and HA considerations	227
Port cost considerations	228
Setting a proxy PID	228
Matching fabric parameters	228
Configuring EX_Port frame trunking (optional)	229
Supported configurations and platforms	230
High Availability support	230
Backward compatibility support	230
Using EX_Port frame trunking	230
Security considerations	230
Trunking commands	230
Configuring LSANs and zoning	231
Use of administrative domains with LSAN zones and FCR	231
Defining and naming zones	232
LSAN zones and fabric-to-fabric communications	232
LSAN zone binding (optional)	235
Dual backbone configuration	236
Maximum LSAN count	236
Configuring backbone fabrics for interconnectivity	237
HA and downgrade considerations	237
IPFC over FCR	237
Broadcast configuration	238
Monitoring resources	239
Routing ECHO	240
Upgrade and downgrade considerations	241
Interoperability with legacy FCR switches	241
Backward compatibility	242
Table 57 Hardware and firmware compatibility for nonsecure fabrics	242
Front domain consolidation	242
Using front domain consolidation	242
Range of output ports	243
Interoperating with an M-EOS fabric	245
Table 58 Brocade-McDATA M-EOSc interoperability compatibility matrix	245
Table 59 Brocade-McDATA M-EOSn interoperability compatibility matrix	246
McDATA Mi10K interoperability	246
Configuring the fabrics for interconnectivity	247
Connectivity modes	248
Table 60 portCfgExPort -m values	248
Configuring the FC router	248
Figure 12 EFCM SAN status	251
Configuring M-EOS for interconnection	251
Figure 13 SAN Pilot and EFCM Zone screens	252
Figure 14 Adding a zone set name in SAN Pilot	254
LSAN zoning with M-EOS	254
Completing the configuration	255
Migrating from an MP Router to a 400 MP Router	257
Configurations	257
Non-redundant configuration	257
Figure 15 Non-redundant router configuration	257
Figure 16 Configuration during the upgrade	258
Redundant configuration	258
Figure 17 Redundant router configuration	258
Dual backbone configuration	258
Figure 18 Dual backbone fabric configuration	259
Devices directly connected to router	259
Administering FICON fabrics	261
Overview of Fabric OS support for FICON	261
Supported switches	262
Types of FICON configurations	262
Control Unit Port (CUP)	262
FICON commands	263
Table 61 Fabric OS commands related to FICON and FICON CUP	263
User security considerations	264
Configuring switches	264
Preparing a switch	265
Configuring a single switch	265
Configuring a high-integrity fabric	265
Figure 19 Cascaded configuration, two switches	266
Figure 20 Cascaded configuration, three switches	266
Setting a unique Domain ID	266
Displaying information	267
Link incidents	267
Registered listeners	267
Node identification data	267
FRU failures	267
Swapping ports	268
Clearing the FICON management database	268
Using FICON CUP	268
Setup summary	269
Enabling and disabling FICON Management Server mode	269
Setting up CUP when FICON Management Server mode is enabled	270
Displaying the fmsmode setting	270
Displaying mode register bit settings	271
Table 62 FICON CUP mode register bits	271
Setting mode register bits	272
Persistently enabling/disabling ports	272
Port and switch naming standards	273
Adding and removing FICON CUP licenses	273
Zoning and PDCM considerations	273
Zoning and link incident reporting	273
Troubleshooting	274
Identifying ports	274
Backing up and restoring FICON configuration files	275
Recording configuration information	276
Table 63 FICON configuration worksheet	276
Sample IOCP configuration file	277
Administering Extended Fabrics	363
Extended Fabrics licensing	363
Extended Fibre Channel over distance	363
Distance levels for extended Inter-Switch Links (ISLs)	363
Buffer-to-Buffer Credits	363
Table 80 Fibre Channel data frames	364
FC switch port Buffer Credit requirements for long distance calculations	365
Determining how many ports can be configured for long distance	365
Displaying the remaining buffers in a port group	366
Table 81 Switch, port speed, and distance with ASIC and buffers	368
Fabric considerations	369
Long distance link initialization activation	369
Extended Fabrics device limitations	369
Configuring an extended ISL	369
Table 82 Extended ISL modes: B-Series 2Gb Switches (Bloom and Bloom II ASICs)	371
Administering Advanced Zoning	383
About zoning	383
Figure 31 Zoning example	383
Zone types	384
Table 84 Types of zoning	384
Table 85 Approaches to fabric-based zoning	384
Zone objects	385
Zoning schemes	386

Match case Limit results 1 per page

Managing user accounts

Each user group should be associated with a specific switch login role. For example, you should

configure a user group for root, admin, factory, switchadmin, and user, and then add any users whose

logins you want to associate to the appropriate group.

•

Configuring the server

To enable CHAP:

From the Windows Start menu, select

Programs > Administrative Tools > Local Security

Policy

to open the Local Security Settings window.

In the Local Security Settings window, expand the

Account Policies

folder and select the

Password

Policy

folder.

From the list of policies in the Password Policy folder, right-click

Store password using reversible

encryption for all users in the domain

, and select

Security

from the pop-up menu.

An additional Local Security Settings window appears. Click the

Enabled

radio button and then click

To configure users:

From the Windows Start menu, select

Programs > Administrative Tools > Computer

Management

to open the

Computer Management

window.

In the Computer Management window, expand the

Local Users and Groups

folder and select the

Groups

folder.

Right-click the

Groups

folder and select

New Group

from the pop-up menu.

In the New Group window, provide a Name and Description for the group and click

Add

In the Select Users or Groups window, select the user (who should already have been configured) you

want to add to the group and click

Add

Repeat this for every user you want to add. When you have completed adding all users, click

In the New Group window, verify the users you added in

step 4

appear in the Members field; then

click

Create

to create this group.

The new groups are created for each login type (admin, switchAdmin, user).

To configure the RADIUS server:

From the Windows Start menu, select

Programs > Administrative Tools > Internet

Authentication Service

to open the

Internet Authentication Service

window

In the

Internet Authentication Service

window, right-click the

Clients

folder and select

New

Client

from the pop-up menu

A client is the device that uses the RADIUS server; in this case, it is the switch.

In the Add Client window, provide the following:

Friendly name

—The friendly name should be an alias that is easily recognizable as the switch to

which you are connecting.

Protocol

—Select

RADIUS

as the protocol.

In the Add RADIUS Client window, provide the following:

Client address

(IP or DNS)

—Enter the IP address of the switch.

Client-Vendor

—Select

RADIUS Standard

Shared secret

—Provide a password. Shared secret is a password used between the client device

and server to prevent IP address spoofing by unwanted clients. Keep your shared secret password in a

safe place. You will need to enter this password in the switch configuration.

After clicking

Finish

, repeat

step 2

through

step 4

for all switches on which RADIUS authentication will be

used.

In the Internet Authentication Service window, right-click the Remote Access Policies folder; then select

New Remote Access Policy

from the pop-up window.

A remote access policy must be created for each login role (Root, Admin, Factory, SwitchAdmin, and

User) for which you want to use RADIUS. Apply this policy to the user groups that you already created.