Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

231

232

233

234

235

236

237

238

239

240

NOTE

When you set the authentication protocol to FCAP, ensure that the certificates are present at both ends.

NOTE

If you set the authentication protocol to DH-CHAP or FCAP, have not configured shared secrets or certificates, and

authentication is checked (for example, you enable the switch), then switch authentication will fail. If the E_Port is to

carry in-flight encrypted traffic, the authentication protocol must be set to DH-CHAP. You must also use the -g option

to set the DH group value to group 4 or all groups.

switch# authutil --set -g *

switch# authutil --set -g 4

Secret key pairs for DH-CHAP

When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a

secret key pair

--one

for each end of the link. Use the secAuthSecret command to perform the following tasks:

∙ View the WWN of switches with a

secret key pair

∙ Set the

secret key pair

for switches.

∙ Remove the

secret key pair

for one or more switches.

NOTE

The DH-CHAP secrets are stored using AES-256 encryption.

Characteristics of a secret key pair

∙ The

secret key pair

must be set up locally on every switch. The

secret key pair

is not distributed fabric-wide.

∙ If a

secret key pair

is not set up for a link, authentication fails. The "Authentication Failed" (reason code 05h) error will be

reported and logged.

∙ The minimum length of a shared secret is 8 characters and the maximum length is 40 characters. If the E_Port is to carry in-

flight encrypted traffic, a shared secret or at least 32 characters is recommended.

NOTE

When setting a

secret key pair

, note that you are entering the shared secrets in plain text. Use a secure channel (for example,

SSH or the serial console) to connect to the switch on which you are setting the secrets.

Viewing the list of secret key pairs in the current switch database

1. Log in to the switch using an account with admin permissions, or an account with the O permission for the Authentication

RBAC class of commands.

2. Enter the secAuthSecret --show command.

The output displays the WWN, domain ID, and name (if known) of the switches with defined shared secrets:

WWN DId Name

-----------------------------------------------

10:00:00:60:69:80:07:52 Unknown

10:00:00:60:69:80:07:5c 1 switchA

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

232 53-1004111-02