Manualshelf

Administrator Guide

ManualsBrandsDell ManualsserversDell Brocade 300
451452453454455456457458459460
Fabric OS Administrator’s Guide 453
53-1002920-02
Configuring and enabling authentication for in-flight encryption
16
Configuring and enabling authentication for in-flight encryption
Authentication and a secret key must be configured and established before configuring in-flight
encryption.
To enable authentication between an FC router and an edge fabric switch, you must first bring all
EX_Ports online without using authentication. After this, the front WWN of any online EX_Port
connected to the same switch can be used to configure the secret keys in the edge fabric switch.
You must obtain the WWN of the peer switch to configure the secret key. If you are configuring an
EX_Port on an FC router, you can use the fcrEdgeShow command to obtain the WWN of the switch
at the other end of the IFL.
1. Log in to the switch using an account with admin permissions, or an account with OM
permissions for the Authentication RBAC class of commands.
ATTENTION
When setting a secret key pair, you are entering the shared secrets in plain text. Use a secure
channel, such as SSH or the serial console, to connect to the switch on which you are setting
the secrets.
2. Configure DH-CHAP for authentication using the authUtil
--set command with the -a option.
switch:admin> authutil --set -a dhchap
Authentication is set to dhchap.
You can specify either dhchap or all. The dhchap option explicitly specifies DH-CHAP. Although
all enables both FCAP and DH-CHAP, the active protocol defaults to DH-CHAP for all ports
configured for in-flight encryption.
If DH-CHAP is specified, then all switches in the fabric must enable DH-CHAP and establish
pre-shared secrets. If the protocol is set to all, you must establish pre-shared secrets or
certificates based on the encryption method selected (DH-CHAP or FCAP).
3. Set the DH group to group 4 using the authUtil
--set command with the -g option.
switch:admin> authutil --set -g "4"
DH Group was set to 4.
You can specify either "4" or "*". The "4" option explicitly enables DH group 4. Although "*"
enables all DH groups (0 through 4), the DH group defaults to group 4 for all ports configured
for in-flight encryption.
4. Enter the secAuthSecret
--set command to establish pre-shared secrets at each end of the
ISL.
It is recommended to use a 32-bit secret for an ISL carrying encrypted or compressed traffic.
switch:admin> secauthsecret --set
When prompted, enter the WWN for the remote switch and secret strings for the local switch
and the remote switch.
5. Activate DH-CHAP authentication using the authUtil
--policy command to set the switch policy
mode to Active or On.
switch:admin> authutil --policy -sw active
If you are configuring authentication on an EX_Port, there is no need to set the authentication
policy to Active or On. EX_Ports can operate on any switch authentication policy.