Manualshelf

Brocade Secure Fabric OS Administrator's Guide - Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.0 (53-1000244-02, June 2007)

ManualsBrandsHP ManualsStorageBrocade 4Gb SAN Switch
41424344454647484950
26 Secure Fabric OS Administrator’s Guide
53-1000244-02
2
Configuring Switch-to-Switch Authentication
By default, Secure Fabric OS on Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 use
SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch
WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric
OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 and is used when both switches support it.
Authentication automatically defaults to SLAP when a switch does not support FCAP.
Alternatively, you can configure Secure Fabric OS to use DH-CHAP authentication. Use the authUtil
command to configure the authentication parameters used by the switch. When you configure
DH-CHAP authentication, you also must define a pair of shared secrets known to both switches.
Figure 1 illustrates how the secrets are configured. In the pair, one is the local switch secret and
the other is the peer switch secret. (Terms local and peer are relative to an initiator—one who
initiates authentication is local and the one who responds is peer.)
Use secAuthSecret to set shared secrets on the switch. Configured, shared secrets are used at the
next authentication. Authentication occurs whenever secure mode is enabled or whenever there is
a state change for the switch or port. The state change can be due to a switch reboot, or a switch or
port disable and enable.
FIGURE 1 DH-CHAP Authentication
SELECTING AUTHENTICATION PROTOCOLS
Use the authUtil command to:
Display the current authentication parameters
Select the authentication protocol used between switches
Select the Diffie-Hellman (DH) group for a switch
Authentication is performed only when secure mode is enabled, but you can run the authUtil
command either while secure mode is enabled or not. Run the command on the switch you want to
view or change.
This section illustrates using the authUtil command to display the current authentication
parameters and to set the authentication protocol to DH-CHAP. See the Fabric OS Command
Reference for more details on the authUtil command.
Switch A
Switch B
Keydatabaseonswitch
Local secret A
Peer secret B
Keydatabaseonswitch
Local secret B
Peer secret A