HP StorageWorks 2/128 Brocade Secure Fabric OS Administrator's Guide (53-10002
HP StorageWorks 2/128 - SAN Director Switch Manual
![]() |
View all HP StorageWorks 2/128 manuals
Add to My Manuals
Save this manual to your list of manuals |
HP StorageWorks 2/128 manual content summary:
- HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 1
Secure Fabric OS Administrator's Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0 Publication Number: 53-1000244-01 Publication Date: 09/29/2006 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 2
service names are or may be trademarks or service marks of, and are used to identify, products or services of source code, please visit http://www.brocade.com/support/oscd. Export of technical data contained design and implement a more secure storage area network ("SAN"), as part of your overall - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 3
Communications Systems, Incorporated Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: [email protected] European and Latin American Headquarters Brocade Communications Switzerland Sàrl Centre Swissair - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 4
in relationship to multiple users accounts. March 2005 Revise with release note content. July 2005 53-10000048-01 53-10000048-02 Add Silkworm 4900 and 7500 and Fabric OS v5.1.0 support information, fiber channel router and password management policy support information. November 2005 Minor - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 5
xi Key Terms xii Additional Information xii Brocade Resources xii Other Industry Resources xiv Getting Technical Help xv Document Feedback xvi Chapter 1 Introducing Secure Fabric OS Management Channel Security 1-2 Switch-to-Switch Authentication 1-3 Using PKI 1-3 Using DH-CHAP 1-4 Fabric - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 6
2-23 Managing Shared Secrets 2-24 Preparing SilkWorm 24000 for Secure Fabric OS 2-26 Installing a Supported CLI Client on a Workstation 2-28 Enabling Secure Fabric OS and Creating Policies Prerequisites to Enabling Secure Mode 3-1 Default Fabric and Switch Accessibility 3-2 Enabling Secure Mode - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 7
OS Statistics 4-7 Managing Passwords 4-8 Modifying Passwords in Secure Mode 4-10 Using Temporary Passwords 4-11 Resetting the Version Number and Time Stamp 4-12 Adding Switches and Merging Fabrics with Secure Mode Enabled 4-13 Preventing a LUN Connection 4-17 Troubleshooting 4-17 Appendix - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 8
viii Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 9
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.2.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0. "About - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 10
of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for v3.2.x, v4.4.x, v5 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 11
Identifies the names of user-manipulated GUI elements Identifies keywords narrative portions of this guide are presented in mixed often all lowercase. Otherwise, this manual specifically notes those cases in which you to potential damage to hardware, firmware, software, or data. Warning A - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 12
documentation is provided on the Brocade Documentation CD-ROM and on the Brocade Web site, through Brocade Connect. Note Go to http://www.brocade.com and click Brocade Connect to register at no cost for a user ID and password. Fabric OS • Fabric OS Administrator's Guide • Fabric OS Command Reference - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 13
Assembly Replacement Procedure • SilkWorm 7500 Power Supply Replacement Procedure SilkWorm 4900 • SilkWorm 4900 Hardware Reference Manual • SilkWorm 4900 QuickStart Guide • SilkWorm 4900 Fan Assembly Replacement Procedure • SilkWorm 4900 Power Supply Replacement Procedure SilkWorm 4100 • SilkWorm - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 14
Router Model AP7420 Power Supply Replacement Procedure • SilkWorm Multiprotocol Router Model AP7420 Fan Assembly Replacement Procedure For practical discussions about SAN design, implementation, and maintenance, you can obtain Building SANs with Brocade Fabric Switches through: http://www - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 15
Information • Technical Support contract number, if applicable • Switch model • Switch operating system version • Error numbers and messages received • supportSave command output • Detailed description of the problem and specific questions • Description of any troubleshooting steps already performed - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 16
switch WWN. • All other SilkWorm switches: Provide the switch WWN. Use the wwn command to display the switch WWN. Document Feedback Because quality is our first concern at Brocade to hear from you. Forward your feedback to: [email protected] Provide the title and version number and as much - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 17
) shared secrets to provide switch-to-switch authentication. Table 1-1 lists which switches and fabrics support Secure Fabric OS. Table 1-1 Secure Fabric OS-Supported Switches and Fabrics Fabric OS Versions Supported SilkWorm Platforms v2.6.2 SilkWorm 2000-series switches v3.2.0 SilkWorm 3200 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 18
, messages (such as notifications of password changes) that are sent to the v4.4.0, v5.0.1, v5.1.0, and v5.2.0 support SSH, enabling fully encrypted telnet sessions. switch firmware. For more information about SSH, see the Fabric OS Administrator's Guide. 1-2 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 19
telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS Fabric OS Command Reference Manual. Switch-to-Switch Authentication Switch-to-switch authentication supports the following: • " manual are specific to Secure Fabric OS. See the Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 20
. If either is permitted, the default order (FCAP, DHCHAP) is used Manual for details of the authUtil and secAuthSecret commands and see "Configuring Switch-to-Switch user account (MUA), RADIUS, password policies, and an SSL certificate, all of which are not supported by older releases. FCS switches - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 21
Guide. For more information about merging fabrics, see "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13. The remaining switches various aspects of the fabric. By default, only the FCS policy exists when and remain available after switch reboot or power cycle. The group - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 22
1 Secure Fabric OS supports the following policies: • FCS policy-Use to specify the primary FCS and backup FCS switches. This is the only required policy. • Management access control (MAC) policies-Use to restrict management access to switches. The following specific MAC policies are provided: - - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 23
require access to the Web site of the switch support supplier. If the supplier is Brocade, navigate to http://partner.brocade.com (if a partner login is not already assigned, follow the instructions to receive a username and password). This chapter includes the following sections: • "Prerequisites - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 24
Fabric OS Administrator's Guide. Before enabling secure mode, install a supported CLI client on all network workstations that will be used to access the switch command line management interface. See "Installing a Supported CLI Client on a Workstation" on page 2-28 for detailed instructions. Note If - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 25
: 4.5.3 To upgrade the Fabric OS: The firmware upgrade process depends on the type of switch and management interface. See the Fabric OS Administrator's Guide for download instructions specific to the type of switch and management interface. Switches that already have a Secure Fabric OS license - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 26
and certificate display Empty, create the objects on the switch as describe in "Creating PKI Objects" on page 2-5, then follow the instructions in "Obtaining the Digital Certificate File" on page 2-7 and "Distributing Digital Certificates to the Switches" on page 2-13. • If any of the other objects - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 27
command on both logical switches. The pkiCreate command does not work if secure mode is already enabled. switch:admin> pkicreate Installing Private Key and Csr... Switch key pair and CSR generated... Installing Root Certificate... Secure Fabric OS Administrator's Guide 2-5 Publication Number: 53 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 28
Repeat for any other switches, as required. Removing switch according to the instructions provided in "Distributing Digital Certificates to the Switches switch. If you want secure mode enabled, you will need to get the switch is displayed: switch:admin> pkiremove This Switch is in secure mode - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 29
to collect certificate signing requests (CSRs) and install digital certificates on switches. The utility must be installed on a computer workstation. To install the PKICert utility on a Solaris workstation, follow the instructions provided in the PKICert utility ReadMe file. To install the PKICert - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 30
guide are PC-specific. The PKICert utility can be used only in nonsecure mode to generate or install certificates. While performing the certificate request process using PKICert, the switch name should not contain spaces. If the switch name contains spaces, the CSR is rejected by the Brocade default. - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 31
pki_v1.0.6 Choose a method for providing fabric addresses 1) Manually enter fabric address 2) Read addresses from a file ( 32.142.167 2 --> Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username: admin Password: Logged into fabric 1. principal switch - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 32
the file-name of the Fabric Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username:admin Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Press Enter to - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 33
142.143" 5. Got a CSR for Switch: Name="sw_138", IP="10.32.142.138" 6. Got a CSR for Switch: Name="sw_142", IP="10.32.142.142" 7. Got a CSR for Switch: Name="Core_sw0", IP="10.32.142.166" Wrote 12824 bytes of switch data to file: "\\server\Working\CSR_Fabric1.xml" Success getting CSRs & writing them - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 34
1) 10:00:00:60:69:11:f8:f9 a) All Fabrics r) Return to Functions menu # Switches ---------- 15 Principal ----------- sec237 enter your choice> 1 Once you finish, press Enter to return to Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 35
to Obtain CSR". To load digital certificates onto one or more switches manually 1. On a PC, double-click pkicert.exe. The PKICert utility and press Enter; alternatively, press Enter to accept the default. The log file is automatically created in the same Guide Publication Number: 53-1000244-01 2-13 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 36
addresses 1) Manually enter fabric address needed to get to all switches. Enter a list of 32.142.167 2 --> Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 c. The utility prompts for the username and password for this switch. Type the username and password - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 37
Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 c. The utility prompts for the username and password for this switch. Type the username and password; press Enter to continue. Username - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 38
sectelnet application can be used as soon as a digital certificate is installed on the switch. 8. Press Enter. The Functions menu is displayed. 9. Type q to quit the installation utility Enter choice> q QUIT? (y/n) y 2-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 39
the fabric addresses; for example, type 1 and press Enter to manually enter the fabric address. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a The utility prompts for the username and password for this switch. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-17 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 40
to fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Username: root Password: Logged into fabric 1. principal switch WWN = 10:00:00 Functions menu # Switches ---------- 2 Principal ----------- sec_edge_2 enter your choice> 1 Secure Fabric OS Administrator's Guide Publication Number: 53 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 41
want to quit. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) utility Enter choice> q QUIT? (y/n) y Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-19 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 42
DIGITAL CERTIFICATIONS NOTE:This utility will only work with switches running a FAB-OS version that supports Fabric Security (e.g. >= v2.6, v3.2, v4 [-A switch-addr] [-L log-level] [-u user-login -p password] Task Options: -g Get CSRs & generate a CSR data file -G Get CSRs (even from switches with - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 43
= Debug-info +Events + ... 2. To end help, press Enter. User Login: -u User name or account login for switch given with _A option or for use as default for all switches given. Password: -p Password must accompany "-u UserLogin" if provided. It must be more than 5 characters - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 44
is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used when both switches support it. Authentication automatically defaults to SLAP when a switch does not support FCAP. Alternatively, you can configure Secure Fabric OS to use DH-CHAP authentication. Use the authUtil - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 45
either while secure mode is enabled or not. Run the command on the switch you want to view or change. This section illustrates using the authUtil command for example, you enable the switch), switch authentication fails. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 2-23 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 46
secAuthSecret "--show". The output displays the WWN, domain ID, and name (if known) of the switches with defined shared secrets: WWN DId Name 10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c 1 switchA 2-24 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 47
or switch name (Leave blank when done): 10:20:30: switch name (Leave blank when done): Are you done? (yes, y, no, n): [no] y Saving data to key store... Done. 3. Enable and disable the ports on a peer switch using the portEnable and portDisable commands. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 48
instructions, see "Verifying Compatible Fabric OS Version" on page 2-2. 4. Log in to one logical switch and change the account passwords from the default values, then log in to the other logical switch and change the passwords from the default values. 2-26 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 49
them to a common external network time protocol (NTP) server. Note If the fabric contains any switches running Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0 the server must support a full NTP client. For switches running Fabric OS v3.2.0, the server can be SNTP or NTP. a. Open a telnet or SSH - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 50
that is supported only for switches running Fabric OS v4.1.x or later. You can use SSH clients that support version 2 of the protocol (for example, OpenSSH or FSecure). See the Fabric OS Administrator's Guide for client installation instructions. sectelnet is provided on the Brocade Partner Web - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 51
Troubleshooting" on page 4-17. Prerequisites to Enabling Secure Mode For more information on any of the following items, see Fabric OS Administrator's Guide. Before enabling secure mode, do the following: • Disable the FC-FC routing on all backbone fabrics. • Set the Password policies to the default - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 52
Secure Fabric OS and Advanced Zoning licenses and digital certificates). - All switches in the fabric can be accessed through a serial port. - All switches in the fabric that have front panels (SilkWorm 2000-series switches) can be accessed through the front panel. • Computer hosts and workstations - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 53
v4.2.x switch to distribute all default account passwords to all other switches in passwords for secure mode. Caution Placing the two switches of a two-domain SilkWorm 24000 in separate fabrics is not supported if secure mode is enabled on one or both switches. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 54
option to preserve passwords. If telnet use is completely prohibited, the telnet protocol should be disabled on each switch, using the problem and repeat the configDownload command. For information about troubleshooting the configuration download process, see the Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 55
might fail if a switch running Fabric OS v2.6.x is in the fabric. Fabric OS v2.6.x supports a maximum security database size of 16 Kb. If you use secModeEnable --currentpwd command until the passwords are changed from the factory defaults by answering the password prompts during the login. Do - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 56
minutes, please wait... Secure mode is enabled. switch:admin> The command requests active consent to the terms of the license, requests the identity of the FCS switches, and requests the new passwords required for secure mode. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 57
that are different from the default values and contain between 8 and 40 alphanumeric characters: • Root password for the FCS switch • Factory password for the FCS switch • Admin password for the FCS switch • User password for the fabric • Admin password for the non-FCS switches Note The root and - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 58
in the FCS policy if your primary FCS switch is running Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0 and using multiple user accounts (MUA) because Fabric OS v2.6.x does not support MUA. See the Fabric OS Administrator's Guide for more information on MUA. 3-8 Secure Fabric OS Administrator - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 59
position in the list of the FCS switch and To is the desired position in the list for this switch. For example, to move a backup FCS switch from position 2 to position 3 in :5a2 switch60. 4. Type secPolicyActivate. Secure Fabric OS Administrator's Guide 3-9 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 60
:1c 1 Ready 10.32.163.161 "fcsswitcha" Backup 10:00:00:00:00:00:22:2c 2 Ready 10.32.163.160 "fcsswitchb" Secured switches in the fabric: 2 FCS switch to be designated as the new primary FCS switch and type secFCSFailover. 3-10 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 61
policy. Note Save policy changes frequently; changes are lost if the switch is rebooted before the changes are saved. Each supported policy is identified by a specific name, and only one policy OS Command Reference. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-11 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 62
about valid input, see "Creating an Options Policy" on page 3-20. DCC_POLICY_nnn No Yes Yes Yes Yes SCC_POLICY No No Yes Yes Enclosure Services (SES) or management server • Access through switch serial ports and front panels 3-12 Secure Fabric OS Administrator's Guide Publication Number - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 63
how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they No host can write Any host can read Only B can write This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created. No - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 64
Empty Host B in policy This combination is not supported. If the WSNMP policy is not defined, the RSNMP SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate "WSNMP_POLICY", logical switches on a two-domain SilkWorm 24000 addresses of the logical switches and to the standby - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 65
certificate is installed on the switch. Note An empty TELNET_POLICY blocks all of management access is available to the switch. To restrict CLI access over the , log in to the primary FCS switch as admin. 2. Type secPolicyCreate "TELNET_POLICY Internet browsers, such as Brocade Web Tools. The policy - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 66
with IP address of 192.168.5.0 (where "0" can be any number) to establish an HTTP connection to any switch in the fabric: primaryfcs:admin> secpolicycreate "HTTP_POLICY", "192.168.5.0" HTTP_POLICY has been created. 3-16 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 67
to the SES User's Guide for more information. The current SES implementation does not support the SES commands Read Buffer or Write Buffer for remote switches. To direct these commands to a switch that is not the primary FCS switch, designate that switch as the primary FCS switch and attach the - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 68
OS v2.6.2 supports the SES device that has a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "SES_POLICY", "12:24:45:10:0a:67:00:40" requesters that are directly connected to the primary FCS switch. The policy is named MS_POLICY and contains a Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 69
a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "MS_POLICY", "12:24:45:10:0a:67: If the Serial Port policy exists and the switch is not included in the policy, the session switch that has a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "SERIAL_POLICY", "12:24: - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 70
switch as admin. 2. Type secPolicyCreate "FRONTPANEL_POLICY", "member;...;member". member is a switch WWN, domain ID, or switch name. If a domain ID or switch name is used to specify a switch, the associated switch with a host bus adapter (HBA). If the WWNs for zoning. By default, use of node WWNs - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 71
the switch supports local switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs. By default, all device ports are allowed to connect to all switch switch and are not enforced by the DCC policy. However, this does not create a security problem - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 72
, that device is only allowed access to the fabric if connected to a switch port listed in the same policy. If a switch port is specified in a DCC policy, it only permits connections from devices that proxy device. 3-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 73
switch switch port information: deviceportWWN;switch(port): • deviceportWWN is the WWN of the device port. • switch can be the switch WWN, domain ID, or switch switch. .1.x and earlier switches have a 256 earlier switches may switch switch domain 2, and all currently connected devices of switch switch - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 74
SCC_POLICY and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy may be created. By default, any switch is allowed to join the fabric; the SCC policy does not states are shown in Table 3-13. 3-24 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 75
OS Policies All Secure Fabric OS transactions must be performed through the primary FCS switch only, except for the secTransAbort, secFCSFailover, secStatsReset, and secStatsShow commands. You can the defined policy set. Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 3-25 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 76
policy is closed to access by all devices/switches that are not listed in that policy. cannot be removed, because a primary FCS switch must be designated. • "Deleting a on page 3-29 From any switch in the fabric, abort a are lost if the switch reboots or the current the primary FCS switch as admin. - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 77
domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command. For example, to add a member to the MS_POLICY using the device port WWN: primaryfcs:admin> secpolicyadd "MS_POLICY", "12:24:45:10:0a:67:00:40" Member(s) have been added - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 78
switch domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command. For example, to remove a member that has a WWN of 12:24: FCS_POLICY cannot be deleted. 3-28 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 79
in the fabric. This makes it possible to abort a transaction that has become frozen due to a failed host. If the switch itself fails, the transaction aborts by default. This command cannot be used to abort an active transaction. To abort a Secure Fabric OS transaction 1. From a sectelnet or SSH - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 80
3 3-30 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 81
Shell) is supported for Fabric Passwords" on page 4-8 • "Resetting the Version Number and Time Stamp" on page 4-12 • "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13 • "Preventing a LUN Connection" on page 4-17 • "Troubleshooting Guide 4-1 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 82
Ready 192.168.100.147 "backup" Primary 10:00:00:60:69:22:32:83 3 Ready 192.168.100.135 "primaryfcs" Secured switches in the fabric: 3 Table 4-1 identifies the information that displays if secure policy set. 4-2 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 83
Secure Fabric OS policy: 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secpolicyshow "listtype", "policy_name". listtype is the type of Secure Fabric OS and defined policy sets. Secure Fabric OS Administrator's Guide 4-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 84
the FCS policy. switch:admin> secmodeshow Secure Mode: ENABLED. Version Stamp: 9182, Wed Mar 13 16:37:01 2001. POS Primary WWN DId swName. 1 Yes 10:00:00:60:69:00:00:5a 21 switch47. 2 No 12:00:00:60:60:03:23:5b 5 switch12. 4-4 Secure Fabric OS Administrator's Guide Publication Number - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 85
an account with an incorrect password. The statistics for all DCC policies are added together. Note Rebooting the switch resets all the statistics. or SSH client software, in addition to the actual attempts made by the user. On dual-CP directors, statistics are maintained separately on each CP and - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 86
A received packet has a time stamp that differs from the time of the receiving switch by more than the maximum allowed difference. LOGIN The number of invalid login attempts. not replicated to the standby CP. 4-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 87
:admin> secstatsshow "MS_POLICY" Name Value MS 20 Resetting Secure Fabric OS Statistics Use the secStatsReset an asterisk (*) to indicate all switches in the fabric. The default value is that of the local switch. If neither operand is specified, Guide 4-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 88
created for specific switches, making it possible to provide temporary access to another user. • User password policies are not supported. To enable Secure mode, you must reset all password policies to the default settings. See Chapter 3 of the Fabric OS Administrator's Guide. The user account (or - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 89
user passwords. Available on FCS switches only. However, can temporarily enable root and factory accounts on nonFCS switches by creating a temporary password. Password is common to all FCS switches; can modify using passwd command on the primary FCS switch. Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 90
40 alphanumeric characters in length. switch:admin> passwd "admin" Changing password for admin Enter new password: Re-type new password: Password changed. Saving password to stable storage. Password saved to stable storage successfully. The passwords are distributed to all switches in the fabric and - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 91
OS database. Any existing admin-level telnet connections to these non-FCS switches are terminated. Using Temporary Passwords Create temporary passwords for default accounts to grant temporary access to a specific switch and login account without compromising the confidentiality of the permanent - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 92
Password from a Switch Use the secTempPasswdReset command to remove the temporary password. The permanent password remains in effect. To remove the temporary password from a switch FCS switch as admin. 2. Type the secModeShow command. 4-12 Secure Fabric OS Administrator's Guide Publication Number: - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 93
The Security policy set, zoning configuration, password information, MUA information, and SNMP community switch has nonzero version stamp. For general information about merging fabrics and instructions for merging fabrics that are not in secure mode, refer to the Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 94
disabled. Segments unless FCS policies are identical. If identical, the switch is the primary FCS switch unless the other FCS switch is higher in the FCS policy. Segments unless FCS policies are in the merge process. 4-14 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 95
.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0, upgrade the firmware as required. For information on upgrading firmware, refer to the Fabric OS Administrator's Guide. d. Customize the account passwords from the default values. e. Repeat for each switch that you intend to include in the final merged - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 96
OS policy set, zoning configuration, password information, MUA information, and SNMP community strings. The primary FCS switch distributes this information fabric-wide. For information about managing zoning configurations, refer to the Fabric OS Administrator's Guide. 12. Verify that the fabric - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 97
each switch in the secure fabric after configuring it in all your hosts and storage. This switch. If an edge fabric is connected to a fibre channel router, secModeEnable --quickmode is not supported. Troubleshooting switch that you want to become the primary FCS switch and specify the FCS switches - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 98
primary FCS role to a backup FCS switch. If no backup FCS switches are available, enter the secModeEnable command to specify a new primary FCS switch. Specify adequate backup FCS switches to prevent a recurrence. Troubleshoot the previous primary FCS switch as required. Cannot access a device or - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 99
primary FCS role to a backup FCS switch. If no backup FCS switches are available, enter the secModeEnable command to specify a new primary FCS switch. Specify adequate backup FCS switches to prevent a recurrence. Troubleshoot the previous primary FCS switch as required. Cannot access a device or - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 100
management policy settings. Only the password management policy default values are supported by secure mode. On each switch restore the password policy settings to the default values by running passwdcfg -setdefault. 4-20 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 101
from the fabric. Note: For instructions on rejoining fabrics, refer to the instructions in "Adding Switches and Merging Fabrics with Secure Mode Enabled" on page 4-13. SCC_POLICY is excluding the segmented switches. Management server services on the segmented switches are inconsistent with rest of - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 102
not consistent. A password recovery operation might have been performed on one or more switches. To make the passwords consistent, log in to the switch that had the password recovered and enter session and log back in. 4-22 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 103
on the individual switches. Removing Secure new switches to the fabric that do not support Secure the Secure Fabric OS License on Each Switch" on page A-3 • "Uninstalling Related on the Brocade Partner Web and the devices and users affected by each policy. users to minimize security risks and - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 104
that were FCS switches, the user, admin, factory, and root passwords remain the same as in secure mode. • On the switches that were non-FCS switches, the root, factory, and admin passwords become the same as the non-FCS admin password. A-2 Secure Fabric OS Administrator's Guide Publication Number - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 105
Note If the user installs and activates a feature license and then removes the license, the feature is not disabled until the next time system is rebooted or a switch enable or disable is rm command to remove the folder. Secure Fabric OS Administrator's Guide A-3 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 106
A A-4 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 107
: • Enable and disable secure mode • Fail over the primary FCS switch • Create and modify Secure Fabric OS policies • View all Secure Fabric OS-related information • Modify passwords • Create and remove temporary passwords • View and reset Secure Fabric OS statistics • View and reset version - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 108
Objects" on page 2-5. pkiRemove admin Removes the PKI objects from the switch. Nonsecure mode n/a pkiShow All users Displays the status of the PKI objects and Both Any digital certificate on the switch. See "Verifying the Digital Certificate" on page 2-4. secActiveSize admin / Displays - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 109
password. See "Modifying the Non-FCS Switch Admin Password" on page 4-10. Secure mode Primary FCS switch Primary FCS switch secPolicyAdd admin / Primary FCS switch secPolicyCreate admin Switch Within the FCS Policy" on page 3-9. Secure mode Primary FCS switch switch FCS switch secPolicyShow - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 110
/ t fabricAdmin Removes temporary passwords. See "Removing a Temporary Password from a Switch" on page 4-12. Secure mode Primary FCS switch secTempPasswdSet admin / fabricAdmin Sets a temporary password for a switch. See Secure mode "Creating a Temporary Password for a Switch" on page 4-11 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 111
B Secure Fabric OS Administrator's Guide B-5 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 112
OS Command Reference. Table B-2 Zoning Commands Command Primary FCS Backup FCS Non-FCS Switch Switch Switch aliAdd aliCreate Yes No No Yes No No aliDelete Yes No No aliRemove Yes No Yes No No B-6 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 113
recommended. The zoning and Secure Fabric OS configurations are not uploaded if entered on a non-FCS switch. date Yes Yes (read only) Yes (read only) date (except ACL does not display) Yes Secure Fabric OS Administrator's Guide B-7 Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 114
Table B-3 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch msplClearDB Yes No No msplMgmtActivate Yes No No msplMgmtDeactivate cannot modify WWNs in secure mode) B-8 Secure Fabric OS Administrator's Guide Publication Number: 53-1000244-01 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 115
A-2 secModeEnable i-iv, 3-2, 3-5, 3-11, 4-16, 4-17, 4- 18, 4-19, 4-20, 4-21, A-2 secModeShow 4-4, 4-17, password for a switch 4-11 creating an Options policy 3-20 creating an SCC policy 3-24 creating an SNMP policy 3-13 creating PKI certificate reports 2-17 Secure Fabric OS Administrator's Guide - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 116
commands A-7 modifying passwords in secure mode 4-10 modifying the FCS policy 3-8 modifying the FCS switch passwords or the fabric-wide user password 4-10 modifying the non-FCS switch admin password 4-10 N non-FCS switches 1-5 Index-2 Secure Fabric OS Administrator's Guide Publication Number: 53 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 117
22 password policies 4-8 PKI 1-3 PKI certificate help accessing 2-20 PKI certificate reports creating 2-17 PKICERT utility 2-7 PKICert Utility, installing 2-6 pkishow 2-4 policies aborting current transaction 3-29 activating 3-27 adding members 3-27 API MAC 3-17 creating 3-12, 3-13, 3-20, 3-21, 3-24 - HP StorageWorks 2/128 | Brocade Secure Fabric OS Administrator's Guide (53-10002 - Page 118
support, Fibre Channel router 3-5, 3-24 switch-to-switch authentication CHAP 1-3 DH-CHAP 1-3 T telnet 1-3 Telnet policy 3-14 telnet, when available 2-28 temporary password creating 4-11 removing 4-12 using 4-11 troubleshooting 4-17 Fibre Channel router 4-20 's Guide Publication Number: 53-1000244-01
![](/manual_guide/products/hewlettpackard-aa979a-brocade-secure-fabric-os-administrators-guide-53100024401-2006-bd046f9/1.png)
Publication Number: 53-1000244-01
Publication Date:
09/29/2006
Secure Fabric OS
Administrator’s Guide
Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0