HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
Fabric OS 6.1.1 administrator guide 119
elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling
links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy
is persistent across reboots, which means authentication will be initiated automatically on ports or switches
brought online if the policy is set to activate authentication. The AUTH policy is distributed using the
distribute command. The automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The
switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0
and pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0
switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication
negotiation and therefore continue with the rest of port initialization.
E_Port authentication
The authentication (AUTH) policy allows you to configure the DH-CHAP authentication on the switch. By
default the policy is set to PASSIVE and you can change the policy using the authutil command All
changes to the AUTH policy are effective. This includes starting authentication on all E_Ports on the local
switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed
to OFF. The authentication configurations will be effective only on subsequent E_ and F_Port initialization.
A secret key pair has to be installed prior to changing the policy. The policy can be configured as follows:
switch:admin> –-policy -sw <ON|ACTIVE|PASSIVE|OFF>
WARNING! If data input has not been completed and a failover occurs, the command is terminated
without completion and the entire user input is lost.
If data input has completed, the Enter key pressed, and a failover occurs, data may or may not be
replicated to the other CP depending on the timing of the failover. Log in to the other CP after the failover
is complete and verify the data was saved. If data was not saved, run the command again.
ON: Setting the AUTH policy to ON means that strict authentication is enforced on all E_Ports. If the
connecting switch does not support authentication or the policy is switched to the OFF state, the ISL is
disabled.
During switch initialization, authentication begins automatically on all E_Ports. To enforce this policy fabric
wide, the fabric needs to have Fabric OS 5.3.0 or later switches only. The switch disables the port if it is
connected to a switch which does not support authentication. Regardless of the policy, the E_Port is
disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port.
ACTIVE: In this state the switch is more tolerant and can connect to a switch with any type of policy. During
switch initialization, authentication begins on all E_Ports, but the port is not disabled if the connecting
switch does not support authentication or the AUTH policy is turned to the OFF state.
The authentication begins automatically during the E_Port initialization. A switch with this policy can safely
connect to pre-6.0 switches, since it continues E_Port initialization if the connecting switch does not support
authentication. The switches with firmware pre-3.2.0 do not support FCAP/DH-CHAP authentication, so an
E_Port initializes without authentication. The switches with firmware version 3.2.0 and later respond to
authentication negotiation and participate in FCAP/DH-CHAP handshaking. Regardless of the policy, the
E_Port gets disabled if the DH-CHAP or FCAP protocol fails to authenticate the attached E_Port.
PASSIVE (default): In the PASSIVE state the switch does not initiate authentication, but participates in
authentication if the connecting switch initiates authentication.
The switch will not start authentication on E_Ports, but accepts the incoming authentication requests, and
will not disable if the connecting switch does not support authentication or the policy is turned to the OFF
state. This is the safest policy for switches connecting to pre-5.3.0 switches. That means 5.3.0 and later