Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
314 Fabric OS Administrator’s Guide
53-1002148-02
Configuring encryption and compression
14
Configuring encryption and compression
On a given ISL between two 16 Gbps E_Ports, you can configure each port for encryption,
compression, or both. Your encryption and compression settings must match at either end of the
ISL. Port segmentation will occur during port initialization if these configurations do not match.
Before configuring a port for encryption, you must configure the port for authentication using the
authUtil and secAuthSecret commands:
• Use the authUtil command to enable switch authentication, enable the DH-CHAP
authentication protocol for ports that support encryption, and select the appropriate DH
(Diffie-Hellman) group (4 or “*”).
To enable switch authentication, use the authUtil --policy command with the -sw option to
select either the on mode or the active mode.
To enable the DH-CHAP authentication protocol, use the authUtil --set command with the -a
option and select either dhchap or all. dhchap explicitly specifies the DH-CHAP protocol.
Although all enables both FCAP and DH-CHAP, the active protocol defaults to DH-CHAP for all
ports configured for in-flight encryption.
To select the appropriate DH group, use the authUtil --set command with the -g option and
choose either group 4 or “*”. If “*” is entered, then group 4 is selected from a list.
• Use the secAuthSecret command to configure a pre-shared secret on both sides of the ISL for
all ports configured for in-flight encryption. A secret of at least 32 characters is recommended.
Maximum is 40 characters.
Port segmentation will occur during port initialization if authentication fails.
If you need to disable authentication on a port that has encryption or compression configured, you
must first disable encryption or compression on the port, and then disable authentication.
These steps summarize how to enable encryption or compression on a port:
1. Use the portEncCompShow command to determine which ports are available for encryption or
compression.
2. If you are enabling encryption on the port, configure port level authentication for the port using
the secAuthSecret and authUtil commands. Omit this step if you want to enable only
compression on the port.
3. Use the portCfgEncrypt command to enable encryption on the port. This step will fail if you try
to exceed the number of allowable ports available for encryption or compression on the chip.
4. Use the portCfgCompress command to enable compression on the port. This step will fail if you
try to exceed the number of allowable ports available for encryption or compression on the
chip.
Following successful port initialization, the configured features are enabled and active. You can use
the islShow command to check that the E_Port has come online with encryption or compression
enabled.
If port initialization is not successful, you can check for port segmentation errors with the
switchShow command. This command will tell you if the segmentation was due to mismatched
encryption or compression configurations on the ports at either end of the ISL, if port-level
authentication failed, or if a required resource was not available.