Manualshelf

Brocade Secure Fabric OS Administrator's Guide (53-1000244-01, November 2006)

ManualsBrandsHP ManualsComputer AccessoriesHP StorageWorks 2/8-EL 2/16 w/V3.1 Document Kit
11121314151617181920
1-4 Secure Fabric OS Administrator’s Guide
Publication Number 53-1000244-01
1
Using DH-CHAP
Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use Diffie-Hellman with Challenge-
Handshake Authentication Protocol (DH-CHAP) shared secrets to provide switch-to-switch
authentication and prevent the addition of unauthorized switches to the fabric. (DH-CHAP is not
available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see “Using PKI”). It should be
explicitly enabled to authenticate using DH-CHAP.
Using the authUtil command, you can control which authentication protocols. You can specify that
FCAP only, DH-CHAP only, or either be used. If either is permitted, the default order (FCAP, DH-
CHAP) is used. The actual protocol is selected during dynamic negotiation.
DH-CHAP requires a pair of shared secret keys—shared secrets—between each pair of switches
authenticating with DH-CHAP. Use the secAuthSecret command to manage shared secrets. See the
Fabric OS Command Reference Manual for details of the authUtil and secAuthSecret commands and
see “Configuring Switch-to-Switch Authentication” on page 2-22 for a basic procedure for configuring
DH-CHAP.
Fabric Configuration Server Switches
Fabric configuration server (FCS) switches are one or more switches that are specified as “trusted”
switches for managing Secure Fabric OS. These switches should be both electronically and physically
secure. At least one FCS switch must be specified to act as the primary FCS switch, and one or more
backup FCS switches are recommended to provide failover ability in case the primary FCS switch fails.
If your primary FCS switch runs Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0 you should not use a
Fabric OS v2.6.2 switch (or a switch running older versions of Fabric OS v3.x.x or v4.x.x) as a backup
FCS switch. Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 introduce features, such as a larger
secure database (128K in v3.2.0 and 256K in v4.4.0, v5.0.1, v5.1.0, and v5.2.0), multiple user account
(MUA), RADIUS, password policies, and an SSL certificate, all of which are not supported by older
releases.
FCS switches are specified by listing their WWNs in a specific policy called the FCS policy. The first
switch that is listed in this policy and participating in the fabric acts as the primary FCS switch; it
distributes the following information to the other switches in the fabric:
Zoning configuration
Secure Fabric OS policies
Fabric password database
SNMP community strings
System date and time
When secure mode is enabled, only the primary FCS switch can propagate management changes to the
fabric. When a new switch joins the fabric, the primary FCS switch verifies the digital certificate; then it
provides the current configuration, overwriting the existing configuration of the new switch.
N
ote
The role of the FCS switch is separate from the role of the principal switch, which assigns domain IDs.
The role of the principle switch is not affected by whether secure mode is enabled.