Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

401

402

403

404

405

406

407

408

409

410

You must obtain the WWN of the peer switch to configure the secret key. If you are configuring an EX_Port on an FC router, you can use

the fcrEdgeShow command to obtain the WWN of the switch at the other end of the IFL.

NOTE

Only DH-CHAP authentication is supported for in-flight encryption of EX_Ports.

1. Log in to the switch using an account with admin permissions, or an account with OM permissions for the Authentication RBAC

class of commands.

ATTENTION

When setting a

secret key pair

, you are entering the shared secrets in plain text. Use a secure channel, such as SSH or

the serial console, to connect to the switch on which you are setting the secrets.

2. Configure DH-CHAP or FCAP for authentication using the authUtil --set command with the -a option.

switch:admin> authutil --set -a dhchap

Authentication is set to dhchap.

You can specify any one of the following options:

∙ dhchap

∙ fcap

∙ all

The dhchap option sets authentication protocol to DH-CHAP. The fcap option sets authentication protocol to FCAP. Although

all enables both FCAP and DH-CHAP, the active protocol defaults to FCAP for all ports configured for in-flight encryption.

If dhchap is specified, then all switches in the fabric must enable DH-CHAP and establish pre-shared secrets. If fcap is

specified, then all switches in the fabric must enable FCAP and use certificates (CA and switch) installed on them. If the protocol

is set to all, you must establish pre-shared secrets or certificates based on the encryption method selected (DH-CHAP or

FCAP).

3. Set the DH group to group 4 using the authUtil --set command with the -g option.

switch:admin> authutil --set -g "4"

DH Group was set to 4.

You can specify either "4" or "*" . The "4" option explicitly enables DH group 4. Although "*" enables all DH groups (0 through 4),

the DH group defaults to group 4 for all ports configured for in-flight encryption.

4. Configure pre-shared keys or certificates based on the encryption method selected (DH-CHAP or FCAP):

∙ If DH-CHAP is the configured authentication protocol, use the secAuthSecret --set command to establish pre-shared

secret key at each end of the ISL. It is recommended to use a 32-bit secret for an ISL carrying encrypted or compressed

traffic.

switch:admin> secauthsecret --set

When prompted, enter the WWN for the remote switch and secret strings for the local switch and the remote switch.

∙ If FCAP is the configured authentication protocol, use the seccertutil command to generate the public or private key, the

CSR, and the passphrase and then import certificates (CA and switch) at both the ends of ISL.

switch:admin> seccertutil

5. Activate the configured authentication using the authUtil --policy command to set the switch policy mode to Active or On.

switch:admin> authutil --policy -sw active

In-flight Encryption and Compression

Brocade Fabric OS Administration Guide, 8.0.1

410 53-1004111-02