Deployment Guide

ManualsBrandsDell ManualsserversDell Brocade 5100

221

222

223

224

225

226

227

228

229

230

• A logical switch supports an SCC policy. You can configure and distribute an SCC policy on a logical

switch.

• SCC enforcement is performed on a ISL based on the SCC policy present on the logical switch.

For more information on Virtual Fabrics, refer to Managing Virtual Fabrics on page 267.

Creating an SCC policy

1. Connect to the switch and log in using an account with admin permissions, or an account with OM

permissions for the Security RBAC class of commands.

2. Enter the secPolicyCreate "SCC_POLICY" command.

3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate

command.

If neither of these commands is entered, the changes are lost when the session is logged out.

Example of creating an SCC policy

For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join the

fabric:

switch:admin> secpolicycreate "SCC_POLICY", "2;4"

SCC_POLICY has been created

switch:admin> secpolicysave

Authentication policy for fabric elements

By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication

Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication.

These protocols use shared secrets and digital certificates, based on switch WWN and public key

infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to FCAP

if both switches are configured to accept FCAP protocol in authentication, unless ports are configured

for in-flight encryption, in which case authentication defaults to DH-CHAP if both switches are

configured to accept the DH-CHAP protocol in authentication. To use FCAP on both switches, PKI

certificates have to be installed.

The DH-CHAP and FCAP authentication protocols used by Brocade switches are FC-SP2 standard

compliant.

NOTE

The fabric authentication feature is available in base Fabric OS. No license is required.

FCAP requires the exchange of certificates between two or more switches to authenticate to each other

before they form or join a fabric. Beginning with Fabric OS v7.0.0, these certificates are no longer

issued by Brocade, but by a third-party which is now the root CA for all of the issued certificates. You

can use Brocade and third-party certificates between switches that are Fabric OS v6.4.0, but only

Brocade-issued certificates (where Brocade is the root CA) for Fabric OS versions earlier than v6.4.0.

The certificates must be in PEM (Privacy Enhanced Mail) encoded format for both root and peer

certificates. The switch certificates issued from the third-party vendors can be directly issued from the

root CA or from an intermediate CA authority.

When you configure DH-CHAP authentication, you also must define a pair of shared secrets known to

both switches as a secret key pair . Figure 14 illustrates how the secrets are configured. A secret key

pair consists of a local secret and a peer secret. The local secret uniquely identifies the local switch.

Creating an SCC policy

Fabric OS Administrators Guide 221

53-1003130-01