Manualshelf

Brocade Secure Fabric OS Administrator's Guide - Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.0 (53-1000244-02, June 2007)

ManualsBrandsHP ManualsComputer AccessoriesHP SN8000B 16Gb 32-port Fibre Channel Blade
11121314151617181920
2 Secure Fabric OS Administrator’s Guide
53-1000244-02
1
Management Channel Security
Secure Fabric OS can be used to provide policy-based access control of local and remote
management channels, including Fabric Manager, Web Tools, standard SNMP applications, and
management server.
Access through a channel can be restricted by customizing the Secure Fabric OS policy for that
channel. Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP,
management server, HTTP, and API.
Fabric Manager, Web Tools, and API all use both HTTP and API to access the switch. To use any of
these management tools to access a fabric that has secure mode enabled, ensure that the
workstation computers can access the fabric by both API and HTTP. If an API or HTTP policy has
been created, it must include the IP addresses of all the workstation computers.
After a digital certificate has been installed on the switch, Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0,
and v5.2.0 encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether
Secure Fabric OS is enabled. Fabris OS v5.3.0 does not support sectelnet.
NOTE
The Telnet button in Web Tools can be used to launch telnet only (not sectelnet or SSH); it is disabled
when secure mode is enabled.
On two-domain directors, messages (such as notifications of password changes) that are sent to
the whole secure fabric are seen on both domains, even if the other domain is not part of the
secure fabric.
Secure Shell (SSH)
Fabric OS v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 support SSH, enabling fully encrypted telnet
sessions. Use of SSH requires installation of a SSH client on the host computer; use of SSH does
not require a digital certificate on the switch.
SSH access is configurable by the Telnet Policy that is available through Secure Fabric OS. However,
Fabric OS v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 support SSH whether or not Secure Fabric OS
is licensed.
To restrict CLI access to SSH over the network, disable telnet as described in “Telnet” on page 3
later in this section.
SSH clients are available in the public domain and can be located by searching the Internet. Use
clients that support version 2 of the protocol, such as OpenSSH or F-Secure.
Fabric OS v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 also support the following ciphers for session
encryption and HMACs (hash function-based message authentication codes):
ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4
HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, and HMACMD5-96
NOTE
The first time a SSH client is launched, a message is displayed, indicating that the server’s host key
is not cached in the registry. You will also see this message the first time a SSH client is launched
after you upgrade switch firmware.
For more information about SSH, see the Fabric OS Administrator’s Guide.