Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

150 Fabric OS Administrator’s Guide
53-1002148-02
Authentication policy for fabric elements
7
Authentication protocols
Use the authUtil command to perform the following tasks:
Display the current authentication parameters.
Select the authentication protocol used between switches.
Select the DH (Diffie-Hellman) group for a switch.
Run the authUtil command on the switch you want to view or change. Below are the different
options to specify which DH group you want to use.
00 – DH Null option
01 1024 bit key
02 – 1280 bit key
03 - 1536 bit key
04 – 2048 bit key
Viewing the current authentication parameter settings for a switch
1. Log in to the switch using an account with admin permissions, or an account with the O
permission for the Authentication RBAC class of commands.
2. Enter the authUtil
--show.
Example of output from the authUtil --show command
AUTH TYPE HASH TYPE GROUP TYPE
--------------------------------------
fcap,dhchap sha1,md5 0, 1, 2, 3, 4
Switch Authentication Policy: PASSIVE
Device Authentication Policy: OFF
Setting the authentication protocol
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
2. Enter the authUtil
--set -a command specifying fcap, dhchap, or all.
Example of setting the DH-CHAP authentication protocol
switch:admin> authutil --set -a dhchap
Authentication is set to dhchap.
When using DH-CHAP, make sure that you configure the switches at both ends of a link.
NOTE
If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets
or certificates, and authentication is checked (for example, you enable the switch), then switch
authentication fails.
If the E_Port is to carry in-flight encrypted traffic, the authentication protocol must be set to
DH-CHAP. You must also use the -g option to set the DH group value to group 4 or all groups.
See Chapter 14, “In-flight Encryption and Compression,” for details about in-flight encryption.