53-1000244-02 15 Jun 2007 Secure Fabric OS Administrator’s Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.
Copyright © 2003-2006 Brocade Communications Systems, Incorporated. ALL RIGHTS RESERVED. Brocade, the Brocade B weave logo, Fabric OS, File Lifecycle Manager, MyView, Secure Fabric OS, SilkWorm, and StorageX are registered trademarks and Tapestry is a trademark of Brocade Communications Systems, Inc., in the United States and/or in other countries. FICON is a registered trademarks of IBM Corporation in the U.S. and other countries.
Brocade Communications Systems, Incorporated Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: info@brocade.com Asia-Pacific Headquarters Brocade Communications Singapore Pte. Ltd. 9 Raffles Place #59-02 Republic Plaza 1 Singapore 048619 Tel: +65-6538-4700 Fax: +65-6538-0302 Email: apac-info@brocade.
Document Title Publication Number Summary of Changes Publication Date Secure Fabric OS Administrator’s Guide 53-10000048-01 Add Silkworm 4900 and 7500 and Fabric November 2005 OS v5.1.0 support information, fiber channel router and password management policy support information. Secure Fabric OS Administrator’s Guide 53-10000048-02 Minor updates. April 2006 Secure Fabric OS Administrator’s Guide 53-1000244-01 Revised for Secure Fabric OS v5.2.
Contents About This Document How This Document Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Supported Hardware and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x What’s New in This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Text Formatting. . . . . . . . . . . . . . .
Verifying the Digital Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Displaying the Digital Certificate Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Creating PKI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Removing PKI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Obtaining the Digital Certificate File. . . . . . . . . . . . . . . . . . . .
Viewing Secure Fabric OS Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Displaying General Secure Fabric OS Information. . . . . . . . . . . . . . . . . . . . 59 Viewing the Secure Fabric OS Policy Database . . . . . . . . . . . . . . . . . . . . . . 60 Displaying Individual Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . 61 Displaying Status of Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii Secure Fabric OS Administrator’s Guide 53-1000244-02
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.3.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0. “About This Document” contains the following sections: • • • • • • • How This Document Is Organized . . . . . . . . . . . . . . . . ix Supported Hardware and Software . . . . . . . . . . . . . . . .
Supported Hardware and Software In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for v3.2.x, v4.4.x, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 documenting all possible configurations and scenarios is beyond the scope of this document.
NOTES, CAUTIONS, AND WARNINGS The following notices appear in this document. NOTE A note provides a tip, emphasizes important information, or provides a reference to related information. CAUTION A caution alerts you to potential damage to hardware, firmware, software, or data. WARNING A warning alerts you to potential danger to personnel. KEY TERMS For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary.
• XPath OS MIB Reference • XPath OS System Error Message Reference • Web Tools—AP Edition Administrator’s Guide Fabric OS Optional Features • Web Tools Administrator’s Guide • Fabric Watch Administrator’s Guide • Fabric Manager Administrator’s Guide • Secure Fabric OS Administrator’s Guide Brocade 48000 • Brocade 48000 Hardware Reference Manual • • • • Brocade 48000 QuickStart Guide FR4-18i Hardware Reference Manual FC4-16IP Hardware Reference Manual FA4-18 Hardware Reference Manual Brocade 24000 • Bro
Brocade 4100 • Brocade 4100 Hardware Reference Manual • Brocade 4100 QuickStart Guide Brocade 3900 Brocade 3900 Hardware Reference Manual (for v4.x software) • • • • • Brocade 3900 QuickStart Guide (for v4.x software) Brocade 3900 Fan Assembly Replacement Procedure Brocade 3900 Motherboard Assembly Replacement Procedure Brocade 3900 Power Supply Replacement Procedure Brocade 3250/3850 • Brocade 3250/3850 Hardware Reference Manual (for v4.x software) • Brocade 3250/3850 QuickStart Guide (for v4.
For additional resource information, visit the Technical Committee T11 Web site. This Web site provides interface standards for high-performance and mass storage applications for Fibre Channel, storage management, and other applications: http://www.t11.org For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site: http://www.fibrechannel.
- SilkWorm 3600, Brocade 200E, 3014, 3016, 3250, 3850, 3900, 4100, 4900, 7500 switches and Brocade 24000, and 48000 directors: Provide the license ID. Use the licenseIdShow command to display the license ID. - SilkWorm Multiprotocol Router Model AP7420: Provide the switch WWN. Use the switchShow command to display the switch WWN. - All other Brocade switches: Provide the switch WWN. Use the wwn command to display the switch WWN.
xvi Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-02
Chapter 1 Introducing Secure Fabric OS Brocade Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on a Brocade fabric.
1 Management Channel Security Secure Fabric OS can be used to provide policy-based access control of local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, and management server. Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP, management server, HTTP, and API.
1 sectelnet The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 include the sectelnet server; the sectelnet client must be installed on the workstation computer. The sectelnet client can be used as soon as a digital certificate is installed on the switch. sectelnet access is configurable by the Telnet policy. Telnet Standard telnet is not available when secure mode is enabled.
1 USING DH-CHAP Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 use Diffie-Hellman with Challenge-Handshake Authentication Protocol (DH-CHAP) shared secrets to provide switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric. (DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see “Using PKI”). It should be explicitly enabled to authenticate using DH-CHAP.
1 Because the primary FCS switch distributes the zoning configuration, zoning databases do not merge when new switches join the fabric. Instead, the zoning information on the new switches is overwritten when the primary FCS switch downloads zoning to these switches, if secure mode is enabled on all of them. For more information about zoning, see the Fabric OS Administrator’s Guide. For more information about merging fabrics, see “Adding Switches and Merging Fabrics with Secure Mode Enabled” on page 70.
1 • Management access control (MAC) policies—Use to restrict management access to switches. The following specific MAC policies are provided: - Read and Write SNMP policies. Use to restrict which SNMP hosts are allowed read and write access to the fabric. - Telnet policy. Use to restrict which workstations can use sectelnet or SSH to connect to the fabric (telnet is not available when Secure Fabric OS is enabled). - HTTP policy. Use to restrict which workstations can use HTTP to access the fabric.
Chapter Preparing the Fabric for Secure Fabric OS 2 Secure Fabric OS is supported by Fabric OS v2.6.2, v3.1.0, v4.1.0 and later; it can be added to fabrics that contain any combination of these versions. This manual applies to v5.3.0 only, it is based on the assumption that a compatible version of Fabric OS is running on all switches in the fabric before adding Secure Fabric OS NOTE Adding Secure Fabric OS to the fabric might require access to the Web site of the switch support supplier.
2 • Disable Administrative Domains and assign users to default AD. Set Administrative Domains to disabled and assign all users to the default Administrative Domain of their role. For more information about Administrative Domain assignments, see the Fabric OS Administrator’s Guide. • Fabric-wide consistency policy is not defined. Clear Fabric-wide Consistency policies. Secure mode does not support the distribution of local SCC and DCC policies. To clear this setting, see the Fabric OS Administrator’s Guide.
2 To identify the current version of Fabric OS: 1. Open a serial or telnet connection to each of the switches in the fabric and log in as admin. 2. Type the version command. For example, entering the version command on a Brocade 3900: switch3900:admin> version Kernel: 2.4.19 Fabric OS: v5.1.0 Made on: Fri Nov 11 11:12:36 2005 Flash: Tue Dec 6 18:03:35 2005 BootProm: 4.5.3 To upgrade the Fabric OS: The firmware upgrade process depends on the type of switch and management interface.
2 3. If the Secure Fabric OS and Advanced Zoning licenses are already listed, the features are already available and the remaining steps are not required; continue if either license is not listed. 4. Contact the switch supplier to purchase the required license key. 5. After the key is received, type licenseAdd “key”. key is the license key string exactly as provided by the switch supplier; it is case sensitive. You can copy it from the email in which it was provided directly into the CLI.
2 The command displays the status of the PKI objects. NOTE “Root Certificate” is an internal PKI object. “Certificate” is the digital certificate. Displaying PKI objects on Fabric OS v4.x or later: switch:admin> pkishow Passphrase : Exist Private Key : Exist CSR : Exist Certificate : Exist Root Certificate: Exist Displaying PKI objects on Fabric OS v3.2.0: switch:admin> configshow “pki” Passphrase : Exist Private Key : Exist CSR : Exist Certificate : Exist Root Certificate: Exist 3.
2 Certificate : Empty Root Certificate: Exist The command displays the status of the PKI objects. 5. Repeat for any other switches, as required. REMOVING PKI OBJECTS You cannot delete PKI objects in secure mode. If they are deleted when secure mode is disabled, secure mode cannot be re-enabled until they are generated.
2 Save the digital certificate file on a secure workstation. The recommended location is in the directory with the CSR file. Making a backup copy of the digital certificate file and storing it in a secure location is recommended. Installing the PKICert Utility The PKI certificate installation utility (PKICert utility) version 1.0.6 is provided by the switch supplier and is used to collect certificate signing requests (CSRs) and install digital certificates on switches.
2 If the file already exists, new event/error information will be appended to it. Enter a log file name [or just press Enter to accept the default]. [pki_events.log] => pki_events_fabric1.log The utility prompts for the desired function. 3. Type 1 to select CSR retrieval and press Enter. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username: admin Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Press Enter to continue > To read the fabric addresses from a file a. Type 2 and press Enter. The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. b. Type the path and file name of the file that contains the fabric addresses and press Enter.
2 Include (optional) licensed product data (y/n)? > y Get CSRs even from switches with certificates (y/n)? > y NOTE If CSRs are retrieved and digital certificates are requested for switches that already have digital certificates, the same digital certificates are provided again. 6. The utility prompts for which fabrics to retrieve CSRs from. Type a to retrieve CSRs from all discovered fabrics; or, as shown in the example, type 1 to retrieve CSRs only from the fabric identified earlier; then press Enter.
2 9. Select n to input different fabric addresses; or, as shown in the example, select y to continue with the current fabrics. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 Distributing Digital Certificates to the Switches You can use the PKICert utility to distribute digital certificates to the switches in the fabric. The utility ensures that each digital certificate is installed on the corresponding switch. If you run the utility without any task argument, it defaults to interactive mode, in which it prompts for the required input NOTE If this procedure is interrupted by a switch reboot, the certificate is not loaded and the procedure must be repeated.
2 4. Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses 1) 2) r) Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Type choice> To enter the fabric address manually 1. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch name or IP address is required for each fabric. 2.
2 2. Type the path and file name of the file that contains the fabric addresses and press Enter. Enter the file-name of the Fabric Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 3. The utility prompts for the username and password for this switch. Type the username and password; press Enter to continue. Username: admin Password: Logged into fabric 1.
2 6. The new certificates are loaded onto the switches and the success or fail of each certificate is displayed. Press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Load Certificates onto 1 fabric(s) 1. 2. 3. 4. 5. 6. 7.
2 To create a PKI report 1. Type 3: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS 1) 2) 3) 4) q) Retrieve CSRs from switches & write a CSR file Install Certificates contained in a Certificate file Generate a Licensed-Product/Installed-Certificates report Help using PKI-Cert to get & install certificates Quit PKI Certificate installation utility Enter choice> 3 2.
2 5. Enter the requested information: a. Type the path and file name for the report file to be created. Then, type y if the address was entered correctly; if not, type n and reenter the address. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 CREATE REPORT ON LICENSED PRODUCTS You must enter the file-name of the report file to write.
2 8. Type q to quit the utility; then type y and press Enter to verify that you want to quit. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 HELP WITH COMMAND LINE USEAGE OF PKI CERTIFICATE UTILITY pkicert [-gGil] [_e log-file] [-d data-file] [-a addr-file] [-A switch-addr] [-L log-level] [-u user-login -p password] Task Options: -g Get CSRs & generate a CSR data file -G Get CSRs (even from switches with certificates) -i Install Certificates from a data file -l Licensed Product Report compile & generate If none of the above “task” options is given, Pki-Cert will operate in “Interactive” rather than “Batch” mode.
2 Configuring Switch-to-Switch Authentication By default, Secure Fabric OS on Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 use SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 and is used when both switches support it.
2 To view the current authentication parameter settings for a switch 1. Log in to the switch as admin. 2. On a switch running Fabric OS v4.4.0, v5.0.1, v5.1.0, v5.2.0, or v5.3.0, type authUtil --show; on a switch running Fabric OS v3.2.0, type authUtil "--show". Output similar to the following displays: AUTH TYPE HASH TYPE GROUP TYPE -------------------------------------fcap,dhchap sha1,md5 0,1,2,3,4 To set the authentication protocol used by the switch to DH-CHAP 1. Log in to the switch as admin 2.
2 To view the list of switches with shared secrets in the current switches database 1. Log in to the switch as admin. 2. On a switch running Fabric OS v4.x or v5.x, type secAuthSecret --show; on a switch running Fabric OS v3.x, type secAuthSecret "--show". The output displays the WWN, domain ID, and name (if known) of the switches with defined shared secrets: WWN DId Name ----------------------------------------------10:00:00:60:69:80:07:52 Unknown 10:00:00:60:69:80:07:5c 1 switchA To set shared secrets 1.
2 Enter WWN, Domain, or switch name (Leave blank when done): Are you done? (yes, y, no, n): [no] y Saving data to key store… Done. 3. Enable and disable the ports on a peer switch using the portEnable and portDisable commands. Preparing Brocade 24000 for Secure Fabric OS The two logical switches in a Brocade 24000 (configured as two domains) director require a slightly different procedure from other Fabric OS switches.
2 2. Type the version command. The firmware version installed on the active CP is displayed. If the firmware is Fabric OS v4.0.0c or later, enter the firmwareShow command for more detailed information about which firmware versions are installed. SW24000:admin> version Kernel: 2.4.2 Fabric OS: v4.0.2 Made on: Fri Feb 1 23:02:08 2002 Flash: Fri Feb 1 18:03:35 2002 BootProm: 4.2.13b SW24000:admin> firmwareshow Local CP (Slot 5, CP0): Active Primary partition: v4.0.2 Secondary Partition: v4.0.
2 7. Ensure that both logical switches have an Advanced Zoning license activated, as described in “Verifying or Activating Secure Fabric OS and Advanced Zoning Licenses” on page 9. 8. If the firmware was upgraded, perform the following steps: a. Download and install the PKICert utility on the PC workstation, if not preinstalled, as described in “Removing PKI Objects” on page 12. b.
2 To install the sectelnet client on a PC workstation 1. Obtain the PC version of the sectelnet file from the switch supplier and copy the file onto the workstation. 2. Double-click the zip file to decompress it. 3. Double-click the setup.exe file. 4. Install sectelnet.exe to a location that is “known” to the computer, such as in the directory containing telnet.exe. The location must be defined in the path environmental variable. sectelnet.exe is available as soon as setup completes.
Chapter 3 Enabling Secure Fabric OS and Creating Policies Secure Fabric OS policies make it possible to customize access to the fabric. The FCS policy is the only required policy; all other policies are optional. In this chapter • Default Fabric and Switch Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Enabling Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Modifying the FCS Policy . . . . . . . . . . . . . . . . . . . . . . .
3 Default Fabric and Switch Accessibility Following is the default fabric and switch access when secure mode is enabled but no additional Secure Fabric OS policies have been created: • Switches: - Only the primary FCS switch can be used to make Secure Fabric OS changes.
3 • • • • Creates and activates the FCS policy. Distributes the policy set (initially consisting of only the FCS policy) to all switches in the fabric. Activates and distributes the local zoning configurations. Fastboots any switches needing a reboot to bring the fabric up in secure mode. (Switches running Fabric OS v3.2.x, v4.4.x, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 are not rebooted when secure mode is enabled.
3 • If downloading a configuration to the switch: - Download the configuration to the primary FCS switch. A configuration downloaded to a backup FCS switch or non-FCS switch is overwritten by the next fabric-wide update from the primary FCS switch. - If the configdownload file contains an RSNMP policy, it must also contain a WSNMP policy. The defined policy set in the configdownload file must have the following characteristics: • The defined policy set must exist.
3 5. Terminate any other sectelnet or SSH connections to the fabric (when using the secModeEnable command, no other sessions should be active) and ensure that any other commands entered in the current session have completed. 6. Use the secModeEnable command to enable secure mode. Several optional arguments are available. This step illustrates three forms of the command: - Type secmodeenable --quickmode The secModeEnable command might fail if a switch running Fabric OS v2.6.x is in the fabric.
3 switch:admin> secmodeenable --lockdown=scc --currentpwd --fcs "*" Your use of the certificate-based security features of the software installed on this equipment is subject to the End User License Agreement provided with the equipment and the Certification Practices Statement, which you may review at http://www.switchkeyactivation.com/cps. By using these security features, you are consenting to be bound by the terms of these documents.
3 Changing password for admin New Non FCS switch admin password: Re-type new password: Enabling secure mode, this may take several minutes, please wait... Broadcast message from root Mon Nov 7 19:22:58 2005... Security Policy, Password or Account Attribute Change: root factory admin user will be logged out Connection to 10.32.157.26 closed. All passwords are saved.
3 The possible FCS policy states are shown in Table 2. TABLE 2 FCS Policy States Policy State Characteristics No policy, or policy with no entries Not possible if secure mode is enabled. Policy with one entry A primary FCS switch is designated but there are no backup FCS switches. If the primary FCS switch becomes unavailable for any reason, the fabric is left without an FCS switch. Policy with multiple entries A primary FCS switch and one or more backup FCS switches are designated.
3 4. Type secPolicyActivate. FAILING OVER THE PRIMARY FCS SWITCH The secFCSFailover command is used to fail over the role of the primary FCS switch to the backup FCS switch from which the command is entered. This can be used to recover from events such as a lost Ethernet connection to the primary FCS switch. In addition to failing over the role of the primary FCS switch, this command moves the new primary FCS switch to the top of the list in the FCS policy.
3 The FCS policy of Active and Defined Policy sets have been changed. Review them before you issue secpolicyactivate again.
3 Specify policy members by IP address, device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 3.
3 CAUTION An empty MAC policy blocks all access through that management channel. When creating policies, ensure that all desired members are added to each policy. Providing fabric access to proxy servers is strongly discouraged. When a proxy server is included in a MAC policy for IP-based management, such as the HTTP_POLICY, all IP packets leaving the proxy server appear to originate from the proxy server. This could result in allowing any hosts that have access to the proxy server to access the fabric.
3 To create an SNMP policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “WSNMP_POLICY”, “member;...;member”. member is one or more IP addresses in dot-decimal notation. “0” can be entered in an octet to indicate that any number can be matched in that octet. For example, to create an WSNMP and an RSNMP policy to allow only IP addresses that match 192.168.5.0 read and write access to the fabric: primaryfcs:admin> secpolicycreate "WSNMP_POLICY", "192.
3 The possible Telnet policy states are shown in Table 5. TABLE 5 Telnet Policy States Policy State Description No policy Any host can connect by sectelnet or SSH to the fabric. Policy with no entries No host can connect by sectelnet or SSH to the fabric. Policy with entries Only specified hosts can connect by sectelnet or SSH to the fabric. To create a Telnet policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “TELNET_POLICY”, “member;...
3 member is one or more IP addresses in dot-decimal notation. “0” can be entered in an octet to indicate that any number can be matched in that octet. 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out.
3 SES Policy The SES policy can be used to restrict which devices can be managed by SES commands. The policy is named SES_POLICY and contains a list of device port WWNs that are allowed to access SES and from which SES commands are accepted and acted upon. If secure mode is enabled, the SES client must be directly attached to the primary FCS switch. Then the SES client can be used to manage all the switches in the fabric through the SES product for SilkWorm switches.
3 Table 9 displays the possible Management Server policy states. TABLE 9 Management Server Policy States Policy State Characteristics No policy All devices can access the management server. Policy with no entries No devices can access the management server. Policy with entries Specified devices can access the management server. To create a Management Server policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “MS_POLICY”, “member;...
3 If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see “Saving Changes to Secure Fabric OS Policies” on page 56 and “Activating Changes to Secure Fabric OS Policies” on page 56. For example, to create a SERIAL_POLICY that allows serial port access to a switch that has a WWN of 12:24:45:10:0a:67:00:40: primaryfcs:admin> secpolicycreate "SERIAL_POLICY", "12:24:45:10:0a:67:00:40" SERIAL_POLICY has been created.
3 By default, use of node WWNs is allowed; the Options policy does not exist until it is created by the administrator. Table 12 displays the possible Options policy states. TABLE 12 Options Policy States Policy State Characteristics No policy Node WWNs can be used for WWN-based zoning. Policy with no entries Node WWNs can be used for WWN-based zoning. Policy with entries Node WWNs cannot be used for WWN-based zoning. To create an Options policy: 1.
3 DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification.
3 - switch can be the switch WWN, domain ID, or switch name. The port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports. The ports can be specified using any of the following syntax methods: (1-6)—Selects ports 1 through 6. (*)—Selects all ports on the switch. [*]—Selects all ports and all devices attached to those ports. [3, 9]—Selects ports 3 and 9 and all devices attached to those ports.
3 CREATING AN SCC POLICY CAUTION Fabric OS v5.2.0 supports local SCC policies; however the local SCC polices created in non-secure mode cannot be used while in secure mode. Policies created in non-secure mode are deleted when secure mode is enabled. Back up SCC policies before enabling secure mode. The SCC policy is used to restrict which switches can join the fabric.
3 If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see “Saving Changes to Secure Fabric OS Policies” on page 56 and “Activating Changes to Secure Fabric OS Policies” on page 56. Managing Secure Fabric OS Policies All Secure Fabric OS transactions must be performed through the primary FCS switch only, except for the secTransAbort, secFCSFailover, secStatsReset, and secStatsShow commands.
3 SAVING CHANGES TO SECURE FABRIC OS POLICIES You can save changes to Secure Fabric OS policies without activating them by entering the secPolicySave command. This saves the changes to the defined policy set. CAUTION Until the secPolicySave or secPolicyActivate command is issued, all policy changes are in volatile memory only and are lost if the switch reboots or the current session is logged out. To save changes to the Secure Fabric OS policies without activating them 1.
3 To add a member to an existing Secure Fabric OS policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyAdd “policy_name”, “member;...;member”. policy_name is the name of the Secure Fabric OS policy. member is the item to be added to the policy, identified by device or switch IP address, switch domain ID, device or switch WWN, or switch name. 3. To implement the change immediately, enter the secPolicyActivate command.
3 policy_name is the name of the Secure Fabric OS policy. 3. To implement the change immediately, enter the secPolicyActivate command: primaryfcs:admin> secpolicydelete "MS_POLICY" About to delete policy MS_POLICY. Are you sure (yes, y, no, n):[no] y MS_POLICY has been deleted. NOTE The FCS_POLICY cannot be deleted. ABORTING ALL UNCOMMITTED CHANGES You can use the secPolicyAbort command to abort all Secure Fabric OS policy changes that have not yet been saved.
Chapter 4 Managing Secure Fabric OS Secure Fabric OS v2.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 can be managed through Fabric Manager and sectelnet. In addition, SSH (Secure Shell) is supported for Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0. When secure mode is enabled for a fabric, all Secure Fabric OS administrative operations, all zoning commands, and some management server commands must be executed on the primary FCS switch.
4 2. Type the secFabricShow command. The command displays the switches in the fabric and their status (Ready, Error, Busy, or NoResp, for no response from the switch). primaryfcs:admin> secfabricshow Role WWN DId Status Enet IP Addr Name ================================================================ non-FCS 10:00:00:60:69:10:03:23 1 Ready 192.168.100.148 "nonfcs" Backup 10:00:00:60:69:00:12:53 2 Ready 192.168.100.147 "backup" Primary 10:00:00:60:69:22:32:83 3 Ready 192.168.100.
4 ____________________________________________________ ACTIVE POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.0 192.155.53.1 192.155.54.2 192.155.55.
4 To display the active version of the FCS policy: primaryfcs:admin> secpolicyshow "active","FCS_POLICY" ____________________________________________________ ACTIVE POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs ____________________________________________________ DISPLAYING STATUS OF SECURE MODE Use the secModeShow command to determine whether secure mode is enabled.
4 The names of the Secure Fabric OS statistics and their definitions are provided in Table 16. TABLE 16 Secure Fabric OS Statistics Statistic Definition API_POLICY The number of attempted violations to the API policy (includes automated attempts made by client software). AUTH_FAIL (SLAP failures) The switch received a SLAP that it could not verify, possibly due to bad certificates, bad signature, the other side not performing SLAP, or SLAP packets that were received out of sequence.
4 DISPLAYING SECURE FABRIC OS STATISTICS Use the secStatsShow command to display statistics for one or all Secure Fabric OS policies, depending on the operand entered. Only issue this command from the primary FCS switch if the “list” operand is specified. If the “list” operand is not specified, enter this command from any switch in the fabric NOTE On dual-CP directors, statistics are maintained separately on each CP and are counted only on the active CP.
4 For example, to reset all statistics on a local switch: primaryfcs:admin> secstatsreset About to reset all security counters. Are you sure (yes, y, no, n):[no] y Security statistics reset to zero. To reset the DCC_POLICY statistics on domains 1 and 69: primaryfcs:admin> secstatsreset "DCC_POLICY", "1;69" Reset DCC_POLICY statistic.
4 Table 17 on page 66 summarizes login account behavior with secure mode disabled and enabled. TABLE 17 Login Account Behavior with Secure Mode Disabled and Enabled Account Role Secure Mode Disabled Secure Mode Enabled admin: Can use to modify admin and user passwords. Available on all switches. Password is specific to each switch; can modify using the passwd command. Available on all switches. Can create temporary passwords.
4 Modifying the FCS Switch Passwords or the Fabric-Wide User Password The passwd command can be used to modify the passwords for the following accounts when secure mode is enabled: • The fabric-wide user account • The admin, root, and factory accounts on the FCS switches • MUA passwords for user-defined accounts To modify the passwords 1.
4 USING TEMPORARY PASSWORDS Create temporary passwords for default accounts to grant temporary access to a specific switch and login account without compromising the confidentiality of the permanent passwords; the permanent passwords also remain in effect. Temporary passwords can be removed; they are also automatically removed after a switch reboot.
4 For example, to remove a temporary password for the admin account from a switch that has a domain ID of 2: switch:admin> sectemppasswdreset 2, “admin” Committing configuration.....done Password successfully reset on domain 2 for admin You can enter the command with no parameters to reset all temporary passwords in the fabric.
4 Adding Switches and Merging Fabrics with Secure Mode Enabled To merge fabrics, both fabrics must be in secure mode and must have an identical FCS policies. Any switches that do not have a matching FCS policy or are in a different state regarding secure mode are segmented. See Table 18 for more information about moving switches between fabrics.
4 Table 18 indicates the results of moving switches in and out of fabrics with secure mode enabled or disabled. TABLE 18 Moving Switches Between Fabrics Initial State of Switch If set up as a standalone switch: If moved into a fabric that has Secure Mode enabled and a functioning primary FCS switch: If moved into a fabric that has Secure Mode enabled but no FCS switches are available: If moved into a non-secure fabric: Primary FCS switch in the FCS policy stored on switch, with secure mode enabled.
4 For information on upgrading firmware, refer to the Fabric OS Administrator’s Guide. d. Customize the account passwords from the default values. e. Repeat for each switch that you intend to include in the final merged fabric. 3. If the final merged fabric will contain switches running Fabric OS v2.6.2 or v3.2.0 and switches running Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.
4 Ensure that all the FCS policies are an exact match; they must list the same switches, with the switches identified in the same manner and listed in the same order. If a fabric has become segmented with secure mode enabled but no FCS switches available, enter the secModeEnable command and modify the FCS policy to specify FCS switches. This is the only instance in which this command can be entered when secure mode is already enabled. 10.
4 Troubleshooting Some of the most likely issues with Secure Fabric OS management and the recommended actions are described in Table 19. The information in the table is based on the assumption that the fabric was originally fully functional and secure mode was enabled. CAUTION Some of the recommended actions might interrupt data traffic. TABLE 19 74 Recovery Processes Symptom Possible Causes Recommended Actions Secure Fabric OS policies do not appear to be in effect. Secure mode is not enabled.
4 TABLE 19 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions One or more CLI sessions is automatically logged out. Password might have been modified for login account in use, the secModeEnable command might have been issued, or switches might have changed switch roles (primary to backup, backup to primary, and so forth). Try closing and reopening CLI session.
4 TABLE 19 76 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Secure mode cannot be enabled because of the password management policy setting is not the default value. A switch has non-default values for one or more of the password management policy settings. Only the password management policy default values are supported by secure mode. On each switch restore the password policy settings to the default values by running passwdcfg --setdefault.
4 TABLE 19 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Unsaved changes to the policies are lost. The primary FCS switch might have failed over. Reenter the changes; then, enter the secPolicySave or secPolicyActivate command. During sectelnet sessions, security does not enable and a hex dump displays. During the active sectelnet session, PKI objects (key and certificate) are removed and reinstalled from another login session.
4 78 Secure Fabric OS Administrator’s Guide 53-1000244-02
Appendix Removing Secure Fabric OS Capability A You cannot remove Secure Fabric OS capability from a fabric by disabling secure mode and deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure Fabric OS capability is not recommended unless absolutely required. If at all possible, consider disabling only secure mode and leaving the Secure Fabric OS feature available so that secure mode can be reenabled if desired.
A For information about reenabling secure mode, see “Enabling Secure Mode” on page 34. To disable secure mode 1. From a sectelnet, SSH, or serial session, log in to the primary FCS switch as admin. 2. Type secModeDisable. 3. Type the password when prompted. 4. Type y to confirm that secure mode should be disabled. primaryfcs:admin> secmodedisable Warning!!! About to disable security. ARE YOU SURE (yes, y, no, n): [no] y Committing configuration...done. Removing Active FMPS... done Removing Defined FMPS...
A Uninstalling Related Items from the Host The following items can optionally be removed from the host: • PKICert utility • sectelnet • Secure Shell client These items do not have to be uninstalled to disable Secure Fabric OS functionality. Follow the standard procedure for uninstalling software from the workstation. On a Windows host computer, use the Add/Remove Programs control panel or just delete the folder. On a Solaris host, use the rm command to remove the folder.
A 82 Secure Fabric OS Administrator’s Guide 53-1000244-02
Appendix B Secure Fabric OS Commands and Secure Mode Restrictions Secure Fabric OS commands, zoning commands, and some management server commands must be entered through the primary FCS switch. This appendix includes the following information: • Secure Fabric OS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 • Command Restrictions in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . .
B TABLE 1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode or Non-Secure Mode? Which Switches in Secure Mode? secAuthSecret admin / fabricAdmin Displays, sets, and removes secret key information from the database or deletes the entire database. Both Any secCertUtil admin / fabricAdmin Manages third-party PKI-based SSL certificates in the switch. Both Any secDefineSize admin / fabricAdmin Displays the size of the defined Secure Fabric OS database.
B TABLE 1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode or Non-Secure Mode? Which Switches in Secure Mode? secPolicyFCSMove admin / fabricAdmin Moves an FCS member in the FCS list. See “Changing the Position of a Switch Within the FCS Policy” on page 40. Secure mode Primary FCS switch secPolicyRemove admin / fabricAdmin Removes members from a policy. See “Removing a Member from a Policy” on page 57.
B Command Restrictions in Secure Mode This section provides information about the restrictions that secure mode places on commands. Any commands not listed here can be executed on any switch, whether or not secure mode is enabled. ZONING COMMANDS All zoning commands must be executed on the primary FCS switch, except for the cfgShow command, which can also be executed on the backup FCS switch.
B TABLE 2 Zoning Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch zoneAdd Yes No No zoneCreate Yes No No zoneDelete Yes No No zoneObjectRename Yes No No zoneRemove Yes No No zoneShow Yes No No MISCELLANEOUS COMMANDS Table 3 lists which miscellaneous commands, including management server and SNMP commands, can be executed on which switches. Commands not listed here (or in the preceding two tables) can be executed on any switch.
B TABLE 3 88 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch tsClockServer Yes Yes (read only) Yes (read only) tsClockServer Yes No No userConfig Yes No (read only) No (read only) wwn (display only; cannot modify WWNs in secure mode) Yes Yes Yes Secure Fabric OS Administrator’s Guide 53-1000244-02
Index A aborting a Secure Fabric OS transaction, 58 aborting all uncommitted changes, 58 accessing PKI certificate help, 24 activating a license key, 9 activating a policy, 56 activating changes to Secure Fabric OS policies, 56 active policy set, 5 adding a member to an existing policy, 56 adding Secure Fabric OS to a fabric, 7 adding Secure Fabric OS to a SilkWorm 24000, 29 adding switches with secure mode enabled, 70 API policy, 47 about, 47 authentication, 3 configuring, 26 C changing the position of a
digital certificates distributing to the switches, 18 loading, 18 obtaining, 12 verifying, 11 disabling secure mode, 79 display general information, 59 displaying and resetting Secure Fabric OS statistics, 62 displaying general Secure Fabric OS information, 59 displaying individual Secure Fabric OS policies, 61 displaying Secure Fabric OS statistics, 64 displaying statistics, 62 displaying status of secure mode, 62 distributing digital certificates to the switches, 18 I installing a supported CLI client on
policies, 79 Options policy creating, 50 P passwdcfg, 76 passwdcfg --setdefault, 76 password, 62, 76 password policies, 65 PKI, 3 PKI certificate help accessing, 24 PKI certificate reports creating, 21 PKICERT utility, 13 PKICert Utility installing, 12 pkishow, 10 policies aborting current transaction, 58 activating, 56 adding members, 56 API MAC, 47 creating, 43, 44, 50, 51, 54 DCC, 51 deleting, 57 deleting a policy, 57 Front Panel, 50 HTTP, 46 identifying members, 43 MAC, 43 Management Server, 48 Option
Secure Fabric OS aborting a transaction, 58 adding a SilkWorm 24000, 29 adding to a fabric, 7 deactivating, 80 enabling, 34 statistics, 62 Secure Fabric OS commands, 83 Secure Fabric OS policies activating changes, 56 creating, 42 secure mode disabling, 79 Secure Shell (SSH), 2 secVersionReset, 85 Selecting Authentication Protocols, 26 Serial Port policy, 49 SES, 48 SES policy, 48 shared secrets managing, 27 SNMP policies, 44 SSH, 2 statistics definitions, 63 displaying, 62 support fibre channel router, 37,