Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

231

232

233

234

235

236

237

238

239

240

3. Store the CSR from each switch on a file server.

4. Obtain the certificates from the CA.

You can request a certificate from a CA through a Web browser. After you request a certificate, the CA either sends certificate

files by e-mail (public) or gives access to them on a remote host (private). Typically, the CA provides the certificate files listed in

the following table.

ATTENTION

Only the .pem file is supported for FCAP authentication.

Certificate File Description

name CA.pem The CA certificate. It must be installed on the remote and local switch

to verify the validity of the switch certificate or switch validation fails.

name .pem The switch certificates:switch certificate.

5. On each switch, install the CA certificate before installing switch certificate.

6. After the CA certificate is installed, install the switch certificate on each switch.

7. Update the switch database for peer switches to use third-party certificates.

8. Use the newly installed certificates by starting the authentication process.

Generating the key and CSR for FCAP

The public/private key and CSR has to be generated for the local and remote switches that will participate in the authentication. In FCAP,

one command is used to generate the public/private key the CSR, and the passphrase.

1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM

permissions for the PKI RBAC class of commands.

2. Enter the secCertUtil generate -fcap -keysize command on the local switch.

switch:admin> seccertutil generate -fcap -keysize 1024 -hash sha1|sha256

WARNING!!!

About to create FCAP:

ARE YOU SURE (yes, y, no, n): [no] y

Installing Private Key and Csr...

Switch key pair and CSR generated...

3. Repeat step 2 on the remote switch.

Exporting the CSR for FCAP

You will need to export the CSR file created in Generating the key and CSR for FCAP on page 234 section and send to a Certificate

Authority (CA). The CA will in turn provide two files as outlined in FCAP configuration overview on page 233.

1. Log in to the switch using an account with admin permissions, or an account associated with the chassis role and having OM

permissions for the PKI RBAC class of commands.

2. Enter the secCertUtil export -fcapswcsr command.

switch:admin> seccertutil export -fcapswcsr

Select protocol [ftp or scp]: scp

Enter IP address: 10.1.2.3

Enter remote directory: /myHome/jdoe/OPENSSL

Enter Login Name: jdoe

jdoe@10.1.2.3's password: <hidden text>

Success: exported FCAP CA certificate

Configuring Security Policies

Brocade Fabric OS Administration Guide, 8.0.1

234 53-1004111-02