HP StorageWorks 8/24 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 132
Device authentication policy
![]() |
View all HP StorageWorks 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 132 highlights
PASSIVE (default) OFF The authentication begins automatically during the E_Port initialization. A switch with this policy can safely connect to pre-6.0.0 switches, since it continues E_Port initialization if the connecting switch does not support authentication. The switches with firmware pre-3.2.0 do not support FCAP or DH-CHAP authentication, so an E_Port initializes without authentication. The switches with firmware version 3.2.0 and later respond to authentication negotiation and participate in FCAP and DH-CHAP handshaking. Regardless of the policy, the E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. In the PASSIVE state the switch does not initiate authentication, but participates in authentication if the connecting switch initiates authentication. The switch does not start authentication on E_Ports, but accepts the incoming authentication requests, and is not disabled if the connecting switch does not support authentication or if the policy is turned to the OFF state. This is the safest policy for switches connecting to pre-5.3.0 switches. That means 5.3.0 and later switches can have authentication enabled and this will not impact the pre-5.3.0 switches. By default the pre-5.3.0 switches act as passive switches, since they accept incoming authentication requests. Regardless of the policy, E_Port is disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port. This setting turns off the policy. The switch does not support authentication and rejects any authentication negotiation request from another switch. A switch with the policy turned OFF cannot be connected to a switch with the policy turned ON. The ON state is strict and disables the port if any switch rejects the authentication. DH-CHAP shared secrets must be configured before changing the policy from the OFF to the ON state. The behavior of the policy between two adjacent switches is defined as follows: If the policy is ON or active, the switch sends an authentication negotiation request to the connecting switch. If the connecting switch does not support authentication or the policy is OFF, the request is rejected. Once the authentication negotiation succeeds, the DH-CHAP authentication is initiated. If DH-CHAP authentication fails, the port is disabled and this is applicable in all modes of the policy. Device authentication policy Device authentication policy can also be categorized as an HBA authentication policy. Fabric-wide distribution of the device authentication policy is not supported because the device authentication requires manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do not support the defined DH groups for use in the DH-CHAP protocol. By default the switch is in the OFF state, which means the switch clears the security bit in the FLOGI (fabric login). The authUtil command provides an option to change the device policy mode to select PASSIVE policy, which means the switch responds to authentication from any device and does not initiate authentication to devices. When the policy is set to ON, the switch expects a FLOGI with the FC-SP bit set. If not, the switch rejects the FLOGI with reason LS_LOGICAL_ERROR (0x03), explanation "Authentication Required"(0x48), and disables the port. Regardless of the policy, the F_Port is disabled if the DH-CHAP protocol fails to authenticate. If the HBA sets the FC-SP bit during FLOGI and the switch sends a FLOGI accept with the FC-SP bit set, the switch expects the HBA to start the AUTH_NEGOTIATE. From this point on until the AUTH_NEGOTIATE is completed, all ELS and CT frames, except the AUTH_NEGOTIATE ELS frame, are blocked by the switch. During this time, the Fibre Channel driver rejects all other ELS frames. The F_Port does not form until the AUTH_NEGOTIATE is completed. It is the HBA's responsibility to send an Authentication Negotiation ELS frame after receiving the FLOGI accept frame with the FC-SP bit set. switch:admin> authutil --policy -dev The following are the available policy modes and properties: OFF (Default) Authentication is not required. Even if a device sends a FLOGI with the security bit set, the switch accepts the FLOGI with the security bit OFF. In this case, the switch assumes there are no further authentication requests from the device. 130 Configuring advanced security features
![](/manual_guide/products/hewlettpackard-ae370a-hp-storageworks-fabric-os-62-administrator-guide-56970016-2009-268764b/132.png)