Home » HP Manuals » Servers » HP Brocade BladeSystem 4/12 » Manual Viewer

HP Brocade BladeSystem 4/12 HP StorageWorks Fabric OS 6.x administrator guide - Page 131

Preparing the switch for FIPS, Overview of steps, Block Telnet, HTTP, and RPC using

View all HP Brocade BladeSystem 4/12 manuals

Add to My Manuals
Save this manual to your list of manuals

Page 131 highlights

Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode DH-CHAP/FCAP hashing algorithms Signed firmware Configupload/ download/ supportsave/ firmwaredownload IPsec Radius auth protocols SHA-1 MD5 and SHA-1 Mandatory firmware signature validation SCP only Optional firmware signature validation FTP and SCP Usage of AES-XCBC, MD5 and DH group 1 No restrictions are blocked PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2 Preparing the switch for FIPS The following functionalities are blocked in FIPS mode. Therefore, it is important to prepare the switch by disabling these functionalities prior to enabling FIPS. • The root account is blocked in FIPS mode. Therefore, all root only functionalities will not be available. • HTTP, Telnet, RPC, SNMP protocols need to be disabled. Once these are blocked, you cannot use these protocols to read or write data from and to the switch • Configdownload and firmwaredownload using an FTP server will be blocked. See Table 41 on page 130 for a complete list of restrictions between FIPS and non-FIPS mode. IMPORTANT: Only roles with SecurityAdmin and Admin can enable FIPS mode. Overview of steps 1. Optional: Configure RADIUS server 2. Optional: Configure authentication protocols 3. Block Telnet, HTTP, and RPC 4. Disable BootProm access 5. Configure the switch for signed firmware 6. Disable root access 7. Enable FIPS To enable FIPS mode: 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Optional: If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol using the aaaconfig --change or aaaconfig --remove command. 3. Optional: Set the authentication protocols a. Type the following command to set the hash type for MD5 which is used in authentication protocols DHCHAP and FCAP: authutil --set -h sha1 b. Set the DH group to 1 or 2 or 3 or 4 using authutil --set -g , where the DH group is represented by . 4. Block Telnet, HTTP, and RPC using the ipfilter policy command. You will need to create an IPFilter policy for each protocol. a. Create an IP Filter rule for each protocol, see "To create an IP Filter policy:" on page 116. Fabric OS 6.x administrator guide 131

Section	Page
Contents	3
Supported Fabric OS 6.x HP StorageWorks hardware	19
Table 1 Switch model naming matrix	19
Intended audience	20
Related documentation	20
Document conventions and symbols	20
Table 2 Document conventions	20
Rack stability	21
HP technical support	21
Customer self repair	21
Product warranties	21
Subscription service	22
HP websites	22
Documentation feedback	22
Standard features	23
Overview	23
Using the CLI	23
Connecting to the CLI	24
Using Telnet or SSH session	24
Using a console session on the serial port	25
Changing passwords	25
Table 3 Default administrative account names and passwords	26
Changing default account passwords at login	26
Configuring the Ethernet interface	27
Displaying the network interface settings	27
Setting static Ethernet addresses	28
Configuring DHCP	29
Enabling DHCP	29
Disabling DHCP	29
Setting the date and time	30
Setting time zones	30
Synchronizing local time using NTP	32
Customizing switch names	33
Working with Domain IDs	33
Licensed features	34
Generating a license key	35
Activating a license key	35
Removing a licensed feature	36
Features and required licenses	37
Table 4 License requirements	37
Inter-Chassis Link (ICL) licensing	38
Time-based licenses	39
High Availability considerations	39
Firmware upgrade and downgrade consideration	39
Configupload and Configdownload considerations	39
Expired licenses	39
Ports on Demand (POD) licensing	39
Activating POD	40
Configuring Dynamic Ports on Demand	40
How ports are assigned to licenses	40
Displaying the port license assignment	41
Activating Dynamic Ports on Demand	41
Disabling Dynamic Ports on Demand	42
Managing POD licenses	42
Reserving a license	42
Releasing a port	43
Disabling and enabling switches	44
Disabling and enabling ports	44
Making basic connections	45
Connecting to devices	45
Connecting to other switches	45
Linking through a gateway	45
Checking status	46
Tracking and controlling switch changes	48
Configuring the audit log	50
Auditable event classes	51
Table 5 AuditCfg event class operands	51
Shutting down switches and Directors	53
High Availability of daemon processes	53
Table 6 Daemons that are automatically restarted	54
Managing user accounts	55
Overview	55
Accessing the management channel	55
Table 7 Maximum number of simultaneous sessions	55
Using Role-Based Access Control (RBAC)	56
Table 8 Fabric OS 6.x roles	56
Role permissions	57
Table 9 Permission types	57
Table 10 RBAC permissions matrix	57
Managing the local database user accounts	59
About the default accounts	59
Table 11 Default local user accounts	59
Defining local user accounts	59
Recovering accounts	62
Changing local account passwords	62
Configuring the local user database	63
Distributing the local user database	63
Protecting the local user database from distributions	63
Configuring password policies	64
Setting the password strength policy	64
Setting the password history policy	65
Setting the password expiration policy	65
Upgrade and downgrade considerations	66
Setting the account lockout policy	66
Denial of service implications	67
Authentication model	67
Table 12 Authentication configuration options	68
Creating Fabric OS user accounts	69
Table 13 Syntax for VSA-based account roles	69
Managing Fabric OS users on the RADIUS server	70
Windows 2000 IAS	70
Linux FreeRadius server	71
Table 14 dictionary.brocade file entries	71
RADIUS configuration and Admin Domains	71
Configuring the RADIUS server	72
Linux	72
Windows 2000	73
LDAP configuration and Microsoft’s Active Directory	75
Configuring authentication servers on the switch	77
Enabling and disabling local authentication as backup	80
Boot PROM password	80
Setting the boot PROM password with a recovery string	81
HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router	81
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)	82
Setting the boot PROM password without a recovery string	83
HP StorageWorks 4/8 or 4/16, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 Multi-protocal (MP) Router	83
4/256 SAN Director and DC SAN Backbone Director (short name, DC Director)	83
Recovering forgotten passwords	84
Configuring standard security features	85
Secure protocols	85
Table 15 Secure protocol support	85
Table 16 Items needed to deploy secure protocols	85
Table 17 Main security scenarios	86
Ensuring network security	86
Configuring the Telnet protocol	87
Blocking Telnet	87
Unblocking Telnet	87
Blocking listeners	88
Table 18 Blocked listener applications	88
Accessing switches and fabrics	88
Table 19 Access defaults	88
Port configuration	89
Configuring for the SSL protocol	89
Browser and Java support	89
Summary of SSL procedures	90
Table 20 SSL certificate files	90
Choosing a CA	90
Generating a public/private key	90
Generating and storing a CSR	91
Obtaining certificates	91
Installing a switch certificate	92
Activating a switch certificate	92
Configuring the browser	93
Installing a root certificate to the Java plug-in	93
Displaying and deleting certificates	94
Table 21 Commands for displaying and deleting SSL certificates	94
Troubleshooting certificates	94
Table 22 SSL messages and actions	94
Configuring for SNMP	95
Setting the security level	95
Using the snmpConfig command	96
Configuring secure file copy	98
Configuring advanced security features	99
About access control list (ACL) policies	99
How the ACL policies are stored	99
Table 23 Security database size restrictions	99
Identifying policy members	100
Table 24 Valid methods for specifying policy members	100
Configuring ACL policies	100
Displaying ACL policies	101
Configuring an FCS policy	101
Table 25 FCS policy states	101
FCS policy restrictions	102
Table 26 Switch operations	102
Overview of steps to create and manage the FCS policies	103
Modifying the Primary FCS	103
Distributing an FCS policy	104
Table 27 Distribution policy states	105
Configuring a DCC policy	105
Table 28 DCC policy states	105
DCC policy restrictions	105
Creating a DCC policy	106
Examples of creating DCC policies	107
Creating an SCC policy	107
Table 29 SCC policy states	107
Saving changes to ACL policies	108
Activating changes to ACL policies	108
Adding a member to an existing policy	108
Removing a member from an ACL policy	109
Deleting an ACL policy	109
Aborting all uncommitted changes	109
Configuring the authentication policy for fabric elements	109
Figure 1 DH-CHAP authentication	110
E_Port authentication	110
Device authentication policy	112
Auth policy restrictions	112
Supported configurations	112
Selecting authentication protocols	113
Re-authenticating ports	113
Managing secret key pairs	114
Fabric wide distribution of the Auth policy	115
Accept distributions configuration parameter	116
IP Filter policy	116
Creating an IP Filter policy	116
Cloning an IP Filter policy	116
Displaying an IP Filter policy	117
Saving an IP Filter policy	117
Activating an IP Filter policy	117
Deleting an IP Filter policy	118
IP Filter policy rules	118
Table 30 Supported services	118
Table 31 Implicit IP Filter rules	119
Table 32 Default IP policy rules	119
IP Filter policy enforcement	119
Creating IP Filter policy rules	120
Deleting IP Filter policy rules	120
Aborting a switch session transaction	120
IP Filter policy distributions	121
IP Filter policy restrictions	121
Distributing the policy database	121
Table 33 Interaction between fabric-wide consistency policy and distribution settings	122
Configuring the database distribution settings	122
Table 34 Supported policy databases	122
Distributing ACL policies to other switches	123
Table 35 ACL policy database distribution behavior	124
Setting the consistency policy fabric-wide	124
Table 36 Fabric-wide consistency policy settings	124
Notes on joining a switch to the fabric	125
Matching fabric-wide consistency policies	126
Table 37 Merging fabrics with matching fabric-wide consistency policies	126
Non-matching fabric-wide consistency policies	127
Table 38 Examples of strict fabric merges	127
Table 39 Fabric merges with tolerant/absent combinations	127
FIPS support	127
Zeroization functions	128
Table 40 Zeroization behavior	128
Power-up self tests	128
Conditional tests	129
FIPS mode	130
Table 41 FIPS mode restrictions	130
Preparing the switch for FIPS	131
Overview of steps	131
Maintaining configurations	135
Maintaining consistent configuration settings	135
Displaying configuration settings	135
Backing up a configuration	135
Troubleshooting configuration upload	136
Restoring switch information	137
Table 42 CLI commands to display switch configuration information	137
Restoring a configuration	137
Configuration download without disabling a switch	137
Security considerations	139
Troubleshooting configuration download	139
Messages captured in the logs	140
Restoring configurations in a FICON environment	140
Table 43 Backup and restore in a FICON CUP environment	140
Downloading configurations across a fabric	140
Configuration form	141
Table 44 Configuration and connection information	141
Managing administrative domains	143
Figure 2 Fabric with two Admin Domains	144
Figure 3 Filtered fabric views	144
Admin Domain features	145
Requirements for Admin Domains	145
User-defined Administrative Domains	145
System-defined Administrative Domains	145
AD0	146
AD255	146
Figure 4 Fabric with AD0 and AD255	147
Admin Domain access levels	147
Table 45 AD user types	147
Admin Domains and login	148
Admin Domain member types	148
Device members	148
Switch port members	149
Switch members	149
Admin Domains and switch WWN	149
Figure 5 Fabric showing switch and device WWNs	150
Figure 6 Filtered fabric views showing converted switch WWNs	150
Admin Domain compatibility and availability	150
Admin Domains and merging	150
Compatibility	151
Figure 7 Isolated subfabrics	151
Firmware upgrade and downgrade scenarios	151
Managing Admin Domains	151
Understanding the AD transaction model	152
Implementing Admin Domains	152
Creating an Admin Domain	153
Assigning a user to an Admin Domain	154
Activating and deactivating Admin Domains	155
Adding and removing Admin Domain members	156
Renaming an Admin Domain	156
Deleting an Admin Domain	157
Deleting all user-defined Admin Domains	157
Validating an Admin Domain member list	158
Using Admin Domains	158
Using CLI commands in an AD context	158
Table 46 Ports and devices in CLI output	159
Executing a command in a different AD context	159
Displaying an Admin Domain configuration	159
Switching to a different Admin Domain context	160
Performing zone validation	160
Admin Domain interactions	160
Table 47 Admin Domain interaction with Fabric OS features	161
Admin Domains, zones, and zone databases	162
Admin Domains and LSAN zones	162
Configuration upload and download in an AD context	163
Table 48 Configuration upload and download scenarios in an AD context	163
Installing and maintaining firmware	165
About the firmware download process	165
Upgrading and downgrading firmware	166
Effects of firmware changes on accounts and passwords	166
Table 49 Effects of firmware changes on accounts and passwords	166
Considerations for FICON CUP environments	166
Preparing for firmware downloads	167
Checking connected switches	168
Table 50 Recommended firmware	168
Obtaining and decompressing firmware	169
Performing firmwareDownload on switches	169
Overview of the firmware download process on switches	169
HP StorageWorks 4/8 SAN Switch, 4/16 SAN Switch, Brocade 4Gb SAN Switch for HP p-Class BladeSystem, Brocade 4Gb SAN Switch for HP c-Class BladeSystem, SAN Switch 4/32, 4/64 SAN Switch, SAN Switch 4/32B, 400 MP Router, and firmware download	170
Downloading firmware to a Director	171
Overview of the firmware download process on directors	172
4/256 SAN Director and DC Director firmwareDownload procedure	172
Director restrictions for downgrading	175
firmwaredownload from a USB device	176
FIPS Support	177
Public and private key management	177
The firmwareDownload command	178
Power-on firmware checksum test	179
Testing and restoring firmware on switches	179
Testing and restoring firmware on directors	180
Validating firmwareDownload	183
Troubleshooting firmwareDownload	184
Considerations for downgrading firmware to Fabric OS 5.3.0 or earlier	184
Preinstallation messages	185
Blade troubleshooting tips	191
Configuring Directors	193
Changing a Director’s name	193
Identifying ports	193
Director port numbering schemes	194
Table 51 Port numbering schemes for the 4/256 Director and DC Director	194
By slot and port number	194
By port area ID	194
By index	194
Table 52 Default index/area_ID core PID assignment with no port swap	195
Basic blade management	196
Powering port blades off and on	196
Disabling and enabling port blades	197
FR4-18i blade exceptions	197
FC4-48 and FC8-48 blade exceptions	198
Conserving power	198
Blade terminology and compatibility	199
Table 53 Director terminology and abbreviations	199
CP blades	199
Core blades	200
Port blade compatibility	200
Table 54 Port blades supported by each Director	200
Setting chassis configuration options for the 4/256 Director	200
Table 55 Supported configuration options	200
Table 56 Chassis configuration options	201
Obtaining slot information	201
Routing traffic	203
About data routing and routing policies	203
Specifying the routing policy	203
Assigning a static route	204
Specifying frame order delivery	204
Using dynamic load sharing	205
Viewing routing path information	206
Viewing routing information along a path	208
Using the FC-FC routing service	211
Supported platforms	211
Supported configurations	211
Fibre Channel routing concepts	211
Figure 8 A metaSAN with interfabric links	212
Figure 9 A metaSAN with edge-to-edge and backbone fabrics	213
Figure 10 Edge SANs connected through a backbone fabric	214
Proxy devices	214
Figure 11 MetaSAN with imported devices	215
Routing types	215
Fibre Channel NAT and phantom domains	215
Setting up the FC-FC routing service	216
Performing verification checks	217
Assigning backbone fabric IDs	218
Configuring FCIP tunnels (optional)	219
Configuring FC-FC routing to work with Secure Fabric OS (optional)	219
Configuring DH-CHAP secret	220
Configuring an interfabric link	221
portCfgExport options	223
Configuring the FC router port cost (optional)	226
Using router port cost	227
Upgrade, downgrade, and HA considerations	227
Port cost considerations	228
Setting a proxy PID	228
Matching fabric parameters	228
Configuring EX_Port frame trunking (optional)	229
Supported configurations and platforms	230
High Availability support	230
Backward compatibility support	230
Using EX_Port frame trunking	230
Security considerations	230
Trunking commands	230
Configuring LSANs and zoning	231
Use of administrative domains with LSAN zones and FCR	231
Defining and naming zones	232
LSAN zones and fabric-to-fabric communications	232
LSAN zone binding (optional)	235
Dual backbone configuration	236
Maximum LSAN count	236
Configuring backbone fabrics for interconnectivity	237
HA and downgrade considerations	237
IPFC over FCR	237
Broadcast configuration	238
Monitoring resources	239
Routing ECHO	240
Upgrade and downgrade considerations	241
Interoperability with legacy FCR switches	241
Backward compatibility	242
Table 57 Hardware and firmware compatibility for nonsecure fabrics	242
Front domain consolidation	242
Using front domain consolidation	242
Range of output ports	243
Interoperating with an M-EOS fabric	245
Table 58 Brocade-McDATA M-EOSc interoperability compatibility matrix	245
Table 59 Brocade-McDATA M-EOSn interoperability compatibility matrix	246
McDATA Mi10K interoperability	246
Configuring the fabrics for interconnectivity	247
Connectivity modes	248
Table 60 portCfgExPort -m values	248
Configuring the FC router	248
Figure 12 EFCM SAN status	251
Configuring M-EOS for interconnection	251
Figure 13 SAN Pilot and EFCM Zone screens	252
Figure 14 Adding a zone set name in SAN Pilot	254
LSAN zoning with M-EOS	254
Completing the configuration	255
Migrating from an MP Router to a 400 MP Router	257
Configurations	257
Non-redundant configuration	257
Figure 15 Non-redundant router configuration	257
Figure 16 Configuration during the upgrade	258
Redundant configuration	258
Figure 17 Redundant router configuration	258
Dual backbone configuration	258
Figure 18 Dual backbone fabric configuration	259
Devices directly connected to router	259
Administering FICON fabrics	261
Overview of Fabric OS support for FICON	261
Supported switches	262
Types of FICON configurations	262
Control Unit Port (CUP)	262
FICON commands	263
Table 61 Fabric OS commands related to FICON and FICON CUP	263
User security considerations	264
Configuring switches	264
Preparing a switch	265
Configuring a single switch	265
Configuring a high-integrity fabric	265
Figure 19 Cascaded configuration, two switches	266
Figure 20 Cascaded configuration, three switches	266
Setting a unique Domain ID	266
Displaying information	267
Link incidents	267
Registered listeners	267
Node identification data	267
FRU failures	267
Swapping ports	268
Clearing the FICON management database	268
Using FICON CUP	268
Setup summary	269
Enabling and disabling FICON Management Server mode	269
Setting up CUP when FICON Management Server mode is enabled	270
Displaying the fmsmode setting	270
Displaying mode register bit settings	271
Table 62 FICON CUP mode register bits	271
Setting mode register bits	272
Persistently enabling/disabling ports	272
Port and switch naming standards	273
Adding and removing FICON CUP licenses	273
Zoning and PDCM considerations	273
Zoning and link incident reporting	273
Troubleshooting	274
Identifying ports	274
Backing up and restoring FICON configuration files	275
Recording configuration information	276
Table 63 FICON configuration worksheet	276
Sample IOCP configuration file	277
Administering Extended Fabrics	363
Extended Fabrics licensing	363
Extended Fibre Channel over distance	363
Distance levels for extended Inter-Switch Links (ISLs)	363
Buffer-to-Buffer Credits	363
Table 80 Fibre Channel data frames	364
FC switch port Buffer Credit requirements for long distance calculations	365
Determining how many ports can be configured for long distance	365
Displaying the remaining buffers in a port group	366
Table 81 Switch, port speed, and distance with ASIC and buffers	368
Fabric considerations	369
Long distance link initialization activation	369
Extended Fabrics device limitations	369
Configuring an extended ISL	369
Table 82 Extended ISL modes: B-Series 2Gb Switches (Bloom and Bloom II ASICs)	371
Administering Advanced Zoning	383
About zoning	383
Figure 31 Zoning example	383
Zone types	384
Table 84 Types of zoning	384
Table 85 Approaches to fabric-based zoning	384
Zone objects	385
Zoning schemes	386

Match case Limit results 1 per page

Fabric OS 6.x administrator guide

131

Preparing the switch for FIPS

The following functionalities are blocked in FIPS mode. Therefore, it is important to prepare the switch by

disabling these functionalities prior to enabling FIPS.

•

The root account is blocked in FIPS mode. Therefore, all root only functionalities will not be available.

•

HTTP, Telnet, RPC, SNMP protocols need to be disabled. Once these are blocked, you cannot use these

protocols to read or write data from and to the switch

•

Configdownload

and

firmwaredownload

using an FTP server will be blocked.

See

Table 41

on page 130 for a complete list of restrictions between FIPS and non-FIPS mode.

IMPORTANT:

Only roles with SecurityAdmin and Admin can enable FIPS mode.

Overview of steps

Optional:

Configure RADIUS server

Optional

: Configure authentication protocols

Block Telnet, HTTP, and RPC

Disable BootProm access

Configure the switch for signed firmware

Disable root access

Enable FIPS

To enable FIPS mode:

Optional:

If the switch is set for RADIUS, modify each server to use only

peap-mschapv2

as the

authentication protocol using the

aaaconfig --change

aaaconfig --remove

command.

Optional:

Set the authentication protocols

Type the following command to set the hash type for MD5 which is used in authentication protocols

DHCHAP and FCAP:

authutil --set -h sha1

Set the DH group to 1 or 2 or 3 or 4 using

authutil --set -g <n>

, where the DH group is

represented by <n>.

Block Telnet, HTTP, and RPC using the

ipfilter

policy command.

You will need to create an IPFilter policy for each protocol.

Create an IP Filter rule for each protocol, see ”

To create an IP Filter policy:

” on page116.

DH-CHAP/FCAP

hashing algorithms

SHA-1

MD5 and SHA-1

Signed firmware

Mandatory firmware signature validation

Optional firmware signature

validation

Configupload/

download/

supportsave/

firmwaredownload

SCP only

FTP and SCP

IPsec

Usage of AES-XCBC, MD5 and DH group 1

are blocked

No restrictions

Radius auth protocols

PEAP-MSCHAPv2

CHAP, PAP, PEAP-MSCHAPv2

Table 41

FIPS mode restrictions

Features

FIPS mode

Non-FIPS mode