Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop

191

192

193

194

195

196

197

198

199

200

Fabric OS Administrator’s Guide 151

53-1002148-02

Authentication policy for fabric elements

Secret key pairs for DH-CHAP

When you configure the switches at both ends of a link to use DH-CHAP for authentication, you

must also define a secret key pair—one for each end of the link. Use the secAuthSecret command

to perform the following tasks:

• View the WWN of switches with a secret key pair.

• Set the secret key pair for switches.

• Remove the secret key pair for one or more switches.

Note the following characteristics of a secret key pair:

• The secret key pair must be set up locally on every switch. The secret key pair is not distributed

fabric-wide.

• If a secret key pair is not set up for a link, authentication fails. The “Authentication Failed”

(reason code 05h) error will be reported and logged.

• The minimum length of a shared secret is 8 characters and the maximum length is 40

characters. If the E_Port is to carry in-flight encrypted traffic, a shared secret or at least 32

characters is recommended. See Chapter 14, “In-flight Encryption and Compression” for

details about in-flight encryption.

NOTE

When setting a secret key pair, note that you are entering the shared secrets in plain text. Use a

secure channel (for example, SSH or the serial console) to connect to the switch on which you are

setting the secrets.

Viewing the list of secret key pairs in the current switch database

1. Log in to the switch using an account with admin permissions, or an account with the O

permission for the Authentication RBAC class of commands.

2. Enter the secAuthSecret

--show command.

The output displays the WWN, domain ID, and name (if known) of the switches with defined

shared secrets:

WWN DId Name

-----------------------------------------------

10:00:00:60:69:80:07:52 Unknown

10:00:00:60:69:80:07:5c 1 switchA

Setting a secret key pair

1. Log in to the switch using an account with admin permissions, or an account with OM

permissions for the Authentication RBAC class of commands.

2. Enter the secAuthSecret

--set command.

The command enters interactive mode. The command returns a description of itself and

needed input; then it loops through a sequence of switch specification, peer secret entry, and

local secret entry.

To exit the loop, press Enter for the switch name; then type y.