HP StorageWorks 8/24 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 116
Configuring the authentication policy for fabric elements
View all HP StorageWorks 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 116 highlights
Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes: 1. Connect to the switch and log in using an account assigned to the admin role. 2. Type the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted. Configuring the authentication policy for fabric elements By default, Fabric OS 6.1.x uses DH-CHAP or FCAP protocols for authentication. These protocols use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have to be installed. NOTE: The fabric authentication feature is available in base Fabric OS. No license is required. You can configure a switch with Fabric OS 5.3.0 or later to use Diffie-Hellman challenge handshake authentication protocol (DH-CHAP) for device authentication. Use the authUtil command to configure the authentication parameters used by the switch. When you configure DH-CHAP authentication, you also must define a pair of shared secrets known to both switches as a secret key pair. Figure 3 on page 117 illustrates how the secrets are configured. A secret key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every switch can share a secret key pair with any other switch or host in a fabric. In order to use DH-CHAP authentication, a secret key pair has to be configured on both switches. To use FCAP on both switches, PKI certificates have to be installed. You can use the command authutil --set to set the authentication protocol which can then be verified using the command authutil --show CLI. NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with the SLAP protocol that was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, 2.6.x. Fabric OS 6.1.x switch-to-switch authentication implementation is fully backward compatible with 3.2, 4.2, 4.4, 5.0, 5.1, 5.2, and 5.3.0. Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair are used for authentication. Authentication occurs whenever there is a state change for the switch or port. The state change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy. 116 Configuring advanced security features