HP StorageWorks Secure Fabric OS 5.0.
Legal and notice information Copyright © 2005 Hewlett Packard Development Company, LP. Copyight © 2005, Brocade Communications Systems, Incorporated. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose.
Contents About this guide . . . . . . . . . . .Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Intended audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Document conventions and symbols . . . . . . . . . . . . . . . . . . . . HP technical support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HP Storage web site. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Installing a supported CLI client on a computer workstation . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Configuring authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Selecting authentication protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Managing shared secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Using temporary passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a temporary password for a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing a temporary password from a switch . . . . . . . . . . . . . . . . . . . . . . . . . . . Resetting the version number and time stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding switches and merging fabrics with Secure mode enabled . . . . . . . . . . . . . .
14 15 16 17 18 19 20 21 22 6 SCC policy states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure mode information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secure Fabric OS statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . Login account behavior with Secure Mode disabled and enabled . Moving switches between fabrics . . . . . . . . . . . . . . . . . . . . . . . Recovery processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
About this guide This guide provides information about: • Setting up the optional HP StorageWorks Secure Fabric software. • Monitoring your SAN via the optional HP StorageWorks Secure Fabric software. Intended audience This guide is intended for use by system administrators and technicians who are experienced with the following: • HP StorgeWorks Fibre Channel Storage Area Networks (SAN) switches • Fabric Operating System (FOS) version 4.
6. Click Technical documents. 7. Follow the onscreen instructions to download the applicable documents. Document conventions and symbols Table 1 Document conventions Convention Element Medium blue text: Figure 1 Cross-reference links and e-mail addresses Medium blue, underlined text (http://www.hp.
CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. ! IMPORTANT: Provides clarifying information or specific instructions. NOTE: TIP: Provides additional information. Provides helpful hints and shortcuts. HP technical support Telephone numbers for worldwide technical support are listed on the following HP web site: http://www.hp.com/support/. From this web site, select the country of origin.
HP authorized reseller For the name of your nearest HP authorized reseller: • In the United States, call 1-800-345-1518. • Elsewhere, visit http://www.hp.com and click Contact HP to find locations and telephone numbers.
1 Introducing Secure Fabric OS Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on a fabric. Secure Fabric OS provides the ability to: • Create policies to customize fabric management access. • Specify which switches and devices can join the fabric. • View statistics related to attempted policy violations. • Manage the fabric-wide Secure Fabric OS parameters through a single switch.
Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and Secure Shell), SNMP, management server, HTTP, and API. Fabric Manager, Web Tools, and API all use both HTTP and API to access the switch. To use any of these management tools to access a fabric that has secure mode enabled, ensure that the workstation computers can access the fabric by both API and HTTP.
NOTE: The first time a Secure Shell client is launched, a message is displayed, indicating that the server’s host key is not cached in the registry. You will also see this message the first time a Secure Shell client is launched after you upgrade switch firmware. For more information about Secure Shell, refer to the HP StorageWorks Fabric OS 4.x procedures user guide. Sectelnet The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your switch supplier.
NOTE: PKI digital certificates are used also by Fabric OS v4.4.x. Secure Fabric OS and Secure Sockets Layer (SSL) use different digital certificates and different methods of obtaining and installing the certificates. PKI digital certificates are used for the secure fabric, and SSL digital certificates are not. The methods described in this manual are specific to Secure Fabric OS. Refer to the HP StorageWorks Fabric OS 4.x procedures user guide for information about SSL and digital certificates.
• Zoning configuration • Secure Fabric OS policies • Fabric password database • SNMP community strings • System date and time NOTE: The role of the FCS switch is separate from the role of the principal switch, which assigns domain IDs. The role of the principle switch is not affected by whether secure mode is enabled. When secure mode is enabled, only the primary FCS switch can propagate management changes to the fabric.
The group of existing policies is referred to as the “fabric management policy set” or FMPS, which contains an active policy set and a defined policy set. The active policy set contains the policies that are activated and currently in effect. The defined policy set contains all the policies that have been defined, whether activated or not. Both policy sets are distributed to all switches in the fabric by the primary FCS switch. Secure Fabric OS recognizes each type of policy by a predetermined name.
Use to restrict which Fibre Channel device ports can connect to which Fibre Channel switch ports. • Switch Connection Control (SCC) policy Use to restrict which switches can join the fabric. Secure Fabric OS 5.0.
Introducing Secure Fabric OS
2 Integrating Secure Fabric OS Secure Fabric OS is supported by Fabric OS v2.6.2, v3.x and v4.x and later; it can be added to fabrics that contain any combination of these versions. This manual applies to v3.2.0, and v4.4.x, and assumes that these versions are running before adding Secure Fabric OS. The procedure for adding Secure Fabric OS to a switch depends on whether the switch is shipped with one of these versions installed or requires upgrading. HP StorageWorks switches running Fabric OS 2.3.
Adding Secure Fabric OS To implement Secure Fabric OS in a fabric, each switch in the fabric must have the following: • A compatible version of Fabric OS • An activated Secure Fabric OS license • An activated Advanced Zoning license (zoning is essential to Secure Fabric OS mechanisms) • The required PKI objects • A digital certificate The following tasks are required to set up a fabric for use with Secure Fabric OS: • Identify the versions of Fabric OS currently installed on each switch and determine which
Identifying the current version of Fabric OS Before continuing, identify the version of Fabric OS on each switch in the fabric and determine which switches must be upgraded. To identify the current version of Fabric OS installed on each switch in the fabric: 1. Open a CLI connection (serial or telnet) to one of the switches in the fabric. 2. Log in to the switch as admin. The default password is “password”. 3. Type the version command.
Read this section to set up Secure Fabric OS for the following switches: • HP StorageWorks 1 Gbps switches • HP StorageWorks SAN Switch 2/8 EL or HP StorageWorks SAN Switch 2/16 • HP StorageWorks SAN Switch 2/32 • HP StorageWorks SAN Switch 4/32 • HP StorageWorks SAN Switch 2/8V, 2/16V and 2/16N 1. Change the account passwords from default values as described in ”Customizing the account passwords” on page 23. 2. If switches running Fabric OS v2.6.2 or v3.2.
Customizing the account passwords The user is prompted to customize the account passwords at the first login. The prompts continue to display at each login and the passwd command remains disabled until the passwords prompts are answered. Immediately changing the passwords is recommended. NOTE: In addition to customizing the passwords for the user, admin, factory, and root accounts, setting both the boot PROM and recovery passwords is strongly recommended.
Verifying or activating the Secure Fabric OS and Advanced Zoning licenses The Secure Fabric OS and Advanced Zoning features are part of the Fabric OS and can be activated by entering a corresponding license key, available from the switch supplier. A license must be activated on each switch that will be implementing Secure Fabric OS. Licenses can be activated through the CLI or through Web Tools. This section provides CLI instructions only.
Adding Secure Fabric OS to switches that require upgrading This section applies to the following switches: • HP StorageWorks SAN Switch 2/8 EL or HP StorageWorks SAN Switch 2/16 switches running a Fabric OS previous to v3.1.2 • HP StorageWorks SAN Switch 2/32 and HP StorageWorks Core Switch 2/64 running Fabric OS previous to v4.2.0 To set up Secure Fabric OS on a switch that was not shipped with Fabric OS v3.1.2 or v4.4.x (or later): 1. If switches running Fabric OS v3.2.
8. Obtain digital certificates from the switch supplier, as described in ”Obtaining the digital certificate file” on page 34. 9. Distribute the certificates to the switches, as described in ”Distributing digital certificates to the switches” on page 34. 10.Verify that digital certificates are installed on all the switches, as described in ”Verifying installation of the digital certificates” on page 38. Upgrading to a compatible version of Fabric OS Secure Fabric OS is supported by Fabric OS v2.6.2, v3.2.
6. Download the required firmware from the computer to the switch. The download process depends on the type of switch and management interface. NOTE: If secure mode is already enabled on the switch (such as on a 1 Gb switch running v2.6), secure mode can remain enabled during the download to preserve the policies. For information about merging fabrics that have secure mode enabled, refer to ”Adding switches and merging fabrics with Secure mode enabled” on page 103. 7. Reboot the switch.
Installing the PKICert utility The PKI certificate installation utility (PKICert utility) version 1.0.6 or later is provided by the switch supplier and is used to collect certificate signing requests (CSRs) and install digital certificates on switches. The utility must be installed on a computer workstation. To install the PKICert utility on a Solaris workstation, follow the instructions provided in the PKICert utility ReadMe file.
2. Type a file name for the events log and press Enter or just press Enter to accept the default. The log file is automatically created in the same directory as pkicert.exe. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 All events and errors will be recorded in an event/error log file. If the file already exists, new event/error information will be appended to it. Enter a log file name [or just press Enter to accept the default]. [pki_events.log] => pki_events_fabric1.
switch must be operating and available. When all the IP addresses have been entered, press Enter again to end the list. The utility prompts for the username and password for this switch. c. Type the username and password, then press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Only one address per fabric is needed to get to all switches. Enter a list of one or more IP or DNS addresses (aliases) you wish to use (one per line). End the list with an empty item. 1 --> 2 --> 10.32.142.
a. Enter path and file name for the CSR file to be created; then type y if the address was entered correctly, or enter n and reenter the address, if not. b. Type y to include licensed product data in the file. Otherwise, type n. c. Type y to retrieve CSRs from all switches in the fabric or n to retrieve CSRs only from switches that do not already have a digital certificate. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
The utility displays the success or failure of CSR retrieval. 7. Press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Retrieving CSR's 1. Got a CSR for 2. Got a CSR for 3. Got a CSR for 4. Got a CSR for 5. Got a CSR for 6. Got a CSR for 7. Got a CSR for from 1 fabric(s) Switch: Name="sw_129", IP="10.32.142.129" Switch: Name="sw_128", IP="10.32.142.128" Switch: Name="sw_139", IP="10.32.142.139" Switch: Name="sw_143", IP="10.32.142.143" Switch: Name="sw_138", IP="10.32.142.
After you type 2, the following information is displayed: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Currently Connected Fabrics Fabric World Wide Name # Switches Principal ------ ----------------------- ---------- ----------* 10:00:00:60:69:11:f8:f9 15 sec237 ________________________________________________________ Use Currently Connected Fabrics? y) Yes, continue with current fabric(s) n) No, input different Fabric addresses(es) enter your choice> y Select n (no) to input different fabric addresses.
9. To quit installation, type q to quit the utility; then type y and press Enter to verify that you want to quit. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
NOTE: If this procedure is interrupted by a switch reboot, the certificate is not loaded and the procedure must be repeated. To load digital certificates onto one or more switches while retrieving CSRs, go to step 8 of the previous section, ”Using the PKICert utility”. To manually load digital certificates onto one or more switches: 1. Open the PKICert utility. On a PC, double-click pkicert.exe. The utility prompts for the events log file name. 2.
4. Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses 1) 2) r) Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Type choice> To manually enter the fabric address: a. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch name or IP address is required for each fabric. b.
The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. b. Type the path and file name of the file that contains the fabric addresses and press Enter. Enter the file-name of the Fabric Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:80:46:00 Username: admin Password: Logged into fabric 1.
The new certificates are loaded onto the switches and the success or fail of each certificate is displayed. 7. Press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Load Certificates onto 1 fabric(s) 1. 2. 3. 4. 5. 6. 7.
2. Display the PKI objects: • For Fabric OS v4.4.x, enter pkiShow. If the switch is a Core Switch 2/64 or a two-domain SAN Director 2/128, enter this command on both logical switches. • For Fabric OS v3.2.0, enter configShow “pki”. The command displays the status of the PKI objects. NOTE: “Root Certificate” is an internal PKI object. “Certificate” is the digital certificate. Displaying PKI objects on Fabric OS v4..
NOTE: Secure mode must be disabled to perform this procedure. To use the CLI to re-create the PKI objects on Fabric OS v4.4.x: 1. Log in to the switch as admin. 2. Type the pkiRemove command. If the switch is a Core Switch 2/64 or a two-domain SAN Director 2/128, enter this command on both logical switches. 3. Type the pkiCreate command to create new PKI objects. New PKI objects are created without digital certificates.
1. To create a PKI report, type 3 (shown in the following example), and follow the screen prompts. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS 1) 2) 3) 4) q) Retrieve CSRs from switches & write a CSR file Install Certificates contained in a Certificate file Generate a Licensed-Product/Installed-Certificates report Help using PKI-Cert to get & install certificates Quit PKI Certificate installation utility Enter choice> 3 2. Type the desired method for entering the fabric addresses.
After you enter the IP address or name the utility logs in to the fabric. Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Username: root Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Press Enter to continue > The utility prompts for information about the report file to be created. 3. Enter the requested information: a. Type the path and file name for the report file to be created.
4. Type 1 to write certificate reports only to the fabric identified earlier or a to write certificate reports to all discovered fabrics; then press Enter. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a Fabric On Which to Operate Fabric World Wide Name ------ ----------------------1) 10:00:00:60:69:50:0d:9f a) All Fabrics r) Return to Functions menu # Switches ---------2 Principal ----------sec_edge_2 enter your choice> 1 PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
Accessing PKI certificate help The purpose of PKI help is to obtain command line information about PKICert and obtain advice on advanced options for advanced users. To access PKI help: 1. Select option 4 (as shown in the following example) and follow the screen prompts. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
HELP WITH COMMAND LINE USEAGE OF PKI CERTIFICATE UTILITY pkicert [-gGil] [_e log-file] [-d data-file] [-a addr-file] [-A switch-addr] [-L log-level] [-u user-login -p password] Task Options: -g Get CSRs & generate a CSR data file -G Get CSRs (even from switches with certificates) -i Install Certificates from a data file -l Licensed Product Report compile & generate If none of the above “task” options is given, Pki-Cert will operate in “Interactive” rather than “Batch” mode.
2. To end help, press Enter. User Login: -u User name or account login for switch given with _A option or for use as default for all switches given. Password: -p Password must accompany “-u UserLogin” if provided. It must be more than 5 characters.
If the firmware is Fabric OS v4.0.0c or later, the firmwareShow command can be entered for more detailed information about which firmware versions are installed. SW12000:admin> version Kernel: 2.4.2 Fabric OS: v4.0.2 Made on: Fri Feb 1 23:02:08 2002 Flash: Fri Feb 1 18:03:35 2002 BootProm: 4.2.13b SW12000:admin> firmwareshow Local CP (Slot 5, CP0): Active Primary partition: v4.0.2 Secondary Partition: v4.0.2 Remote CP (Slot 6, CP1): Standby Primary partition: v4.0.2 Secondary Partition: v4.0.2 3.
d. Repeat for the other logical switch. SW12000switch0:admin> tsclockserver "132.163.135.131" switch:admin> tsclockserver 132.163.135.131 SW12000switch0:admin> login login: admin Password: xxxxxx 12000switch1:admin> tsclockserver "132.163.135.131" 12000switch1:admin> tsclockserver 132.163.135.131 6. Ensure that both logical switches have a Secure Fabric OS license activated, as described in ”Verifying or activating the Secure Fabric OS and Advanced Zoning licenses” on page 24.
Installing a supported CLI client on a computer workstation Standard telnet sessions work only until secure mode is enabled. The following telnet clients are supported after secure mode has been enabled: • sectelnet sectelnet is a secure form of telnet that is available for switches running Fabric OS v3.2.0 or v4.4.x. For instructions on installing the sectelnet client, refer to the following procedures. • SSH SSH is a secure form of telnet that is supported only for switches running Fabric OS v4.1.
Configuring authentication By default Secure Fabric OS on Fabric OS v3.2.0 and v4.4.x uses SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS v3.2.0 and v4.4.x and is used when both switches support it. Authentication automatically defaults to SLAP when a switch does not support FCAP.
Authentication is only performed when secure mode is enabled, but you can run the authUtil command either while secure mode is enabled, or not. Run the command on the switch you want to view or change. This section illustrates using the authUtil command to display the current authentication parameters and to set the authentication protocol to DH-CHAP. Refer to the HP StorageWorks Fabric OS 4.x command reference guide for more details on the authUtil command.
Managing shared secrets When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a pair of shared secrets—one for each end of the link.
This enters command interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry and local secret entry. To exit the loop, press Enter for the switch name. switchA:admin> secAuthSecret --set This command is used to set up secret keys for the DH-CHAP authentication. The minimum length of a secret key is 8 characters and maximum 40 characters. Setting up secret keys does not initiate DH-CHAP authentication.
Integrating Secure Fabric OS
3 Creating Secure Fabric OS policies Secure Fabric OS policies make it possible to customize access to the fabric. The FCS policy is the only required policy; all other policies are optional. To implement Secure Fabric OS policies: • Determine which trusted switches to use as FCS switches to manage Secure Fabric OS. • Enable secure mode in the fabric and specify the FCS switch and one or more backup FCS switches. This automatically creates the FCS policy.
Default Fabric and switch accessibility Following is the default fabric and switch access when secure mode is enabled but no additional Secure Fabric OS policies have been created: • Switches: • Only the primary FCS switch can be used to make Secure Fabric OS changes. • Any HP StorageWorks switch can join the fabric, provided it is connected to the fabric, and meets the minimum Secure Fabric OS requirements (such as a Security and Advanced Zoning licenses, and digital certificates).
Enabling Secure mode Secure mode is enabled and disabled on a fabric-wide basis. Secure mode can be enabled and disabled as often as desired; however, all Secure Fabric OS policies, including the FCS policy, are deleted each time secure mode is disabled, and they must be re-created the next time it is enabled. The Secure Fabric OS database can be backed up using the configUpload command. For more information about this command, refer to the HP StorageWorks Fabric OS 4.x command reference guide.
The following restrictions apply when secure mode is enabled: • Standard telnet cannot be used after secure mode is enabled; however, sectelnet can be used as soon as a digital certificate is installed on the switch. Secure Shell can be used at any time; however, telnet sessions opened prior to issuing secModeEnable remain open if secure mode is enabled using the option to preserve passwords.
NOTE: Enabling secure mode fastboots all Fabric OS v2.6.x switches in the fabric. To enable secure mode in the fabric: 1. Ensure that all switches in the fabric have the following: • Fabric OS v2.6.2, v3.2.0, or v4.4.x • An activated Secure Fabric OS license • An activated Advanced Zoning license • Digital certificate 2. Ensure that any zoning configuration downloads have completed on all switches in the fabric. For information specific to zoning, refer to the HP StorageWorks Fabric OS 4.
• Type secmodeenable. This version invokes the command’s interactive mode; then, identify each FCS switch at the prompts, (as shown in the next example). Press Enter with no data to end the FCS list. • Type secmodeenable "fcsmember;...;fcsmember". fcsmember is the domain ID, WWN, or switch name of the primary and backup FCS switches, with the primary FCS switch listed first. Refer to the HP StorageWorks Fabric OS 4.x command reference guide for other forms of the secModeEnable command.
To enable secure mode using --lockdown=scc, --currentpwd, and --fcs options: switch:admin> secmodeenable --lockdown=scc --currentpwd --fcs "*" Your use of the certificate-based security features of the software installed on this equipment is subject to the End User License Agreement provided with the equipment and the Certification Practices Statement, which you may review at http://www.switchkeyactivation.com/cps.
For example, to enter passwords after enabling secure mode: New FCS switch root password: Re-enter new password: New FCS switch factory password: Re-enter new password: New FCS switch admin password: Re-enter new password: New FCS switch user password: Re-enter new password: New Non FCS switch admin password: Re-enter new password: Saving passwd...done. Saving Defined FMPS ... done Saving Active FMPS ... done Committing configuration...done. Secure mode is enabled. Saving passwd...done. Rebooting...
• Using the secPolicyAdd command to add members, as described in ”Adding a member to an existing policy” on page 85 • Using the secPolicyRemove command to remove members, as described in ”Removing a member from a policy” on page 86 NOTE: If the last FCS switch is removed from the fabric, secure mode remains enabled but no primary FCS switch is available. To specify a new primary FCS switch, enter the secModeEnable command again and specify the primary and backup FCS switches.
2. Type secPolicyShow “Defined”, “FCS_POLICY”. This displays the WWNs of the current primary FCS switch and backup FCS switches. 3. Type secPolicyFCSMove, then provide the current position of the switch in the list and the desired position at the prompts. Alternatively, enter secPolicyFCSMove “From, To”. From is the current position in the list of the FCS switch and To is the desired position in the list for this switch.
During FCS failover to a backup FCS switch, all transactions in process on the current primary FCS switch are aborted, and any further transactions are blocked until failover is complete. To fail over the primary FCS switch: 1. Log in as admin to the current primary FCS switch from a sectelnet or SSH session. 1. If desired, view the current FCS list typing secPolicyShow "active","FCS_POLICY".
Creating Secure Fabric OS policies other than the FCS policy The FCS policy is automatically created when secure mode is enabled; other Secure Fabric OS policies can be created after secure mode is enabled. (Using the quickmode or lockdown options to the secModeEnable command also creates an SCC policy and a DCC policy.) The member list of each policy determines the devices or switches to which the policy applies.
Policy members can be specified by IP address, device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 3.
Creating a MAC policy Management Access Control (MAC) policies can be used to restrict the following management access to the fabric: • Access by hosts using SNMP, telnet/sectelnet/Secure Shell, HTTP, API • Access by device ports using SES or management server • Access through switch serial ports and front panels The individual MAC policies and how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they are created.
Table 4 lists the expected read and write behaviors resulting from combinations of the RSNMP and WSNMP policies. Table 4 Read and write behaviors of SNMP policies RSNMP policy WSNMP policy Read result Write result Nonexistent Nonexistent Any host can read Any host can write Nonexistent Empty Any host can read No host can write Nonexistent Host B in policy Any host can read Only B can write Empty Nonexistent This combination is not supported.
3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, refer to ”Saving changes to Secure Fabric OS policies” on page 84 and ”Activating changes to Secure Fabric OS policies” on page 84. Telnet policy The Telnet policy can be used to specify which workstations can use sectelnet or Secure Shell to connect to the fabric.
The possible Telnet policy states are shown in Table 5. Table 5 Telnet policy states Policy State Description No policy Any host can connect by sectelnet or SSH to the fabric. Policy with no entries No host can connect by sectelnet or SSH to the fabric. Policy with entries Only specified hosts can connect by sectelnet or SSH to the fabric. To create a Telnet policy: 1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 2.
Table 6 lists possible HTTP policy states. Table 6 HTTP policy states Policy State Characteristics No policy All hosts can establish an HTTP/HTTPS connection to any switch in the fabric. Policy with no entries No host can establish an HTTP/HTTPS connection to any switch in the fabric. Note: An empty policy causes the message “The page cannot be displayed” to display when HTTP/HTTPS access is attempted.
Table 7 lists possible API policy states. Table 7 API policy states Policy State Characteristics No policy All workstations can establish an API connection to any switch in the fabric. Policy with no entries No host can establish an API connection to any switch in the fabric. Policy with entries Only specified hosts can establish an API connection to any switch in the fabric, and write operations can only be performed on the primary FCS switch. To create an API policy: 1.
SES policy NOTE: HP does not support SES at this time, although it appears in the Secure Fabric application, and throughout this guide. The SES policy can be used to restrict which devices can be managed by SES commands. The policy is named SES_POLICY and contains a list of device port WWNs that are allowed to access SES and from which SES commands are accepted and acted upon. If secure mode is enabled, the SES client must be directly attached to the primary FCS switch.
Management server policy The Management Server policy can be used to restrict which devices can be accessed by the management server. Fabric configuration and control functions can be performed only by requesters that are directly connected to the primary FCS switch. The policy is named MS_POLICY and contains a list of device port WWNs for which the management server implementation in Fabric OS (designed according to FC-GS-3 standard) accepts and acts on requests.
Serial port policy The Serial Port policy can be used to restrict which switches can be accessed by serial port. The policy is named SERIAL_POLICY and contains a list of switch WWNs, domain IDs, or switch names for which serial port access is enabled. The serial policy is checked before the account login is accepted. If the Serial Port Policy exists and the switch is not included in the policy, the session is terminated.
Front panel policy The Front Panel policy can be used to restrict which switches can be accessed through the front panel. This policy only applies to HP StorageWorks 2Gbps switches, since no other switches contain front panels. The policy is named FRONTPANEL_POLICY and contains a list of switch WWNs, domain IDs, or switch names for which front panel access is enabled. How to create a Front Panel policy is described after Table 11, which displays the possible Front Panel policy states.
Creating an options policy The Options policy can be used to prevent the use of node WWNs to add members to zones. This policy is named OPTIONS_POLICY and has only one valid value, “NoNodeWWNZoning”. Adding this value to the policy prevents use of Node WWNs for WWN-based zoning. The use of node WWNs can introduce ambiguity because the node WWN might also be used for one of the device ports, as might be true with a host bus adapter (HBA).
4. To apply the change to current transactions, disable the switch then re-enable it by entering the switchDisable and switchEnable commands. This stops any current traffic between devices that are zoned using node names. primaryfcs:admin> secpolicycreate “OPTIONS_POLICY”, “NoNodeWWNZoning” OPTIONS_POLICY has been created. Creating a DCC policy Multiple DCC policies can be used to restrict which device ports can connect to which switch ports.
Table 13 shows possible DCC policy states. DCC policy states Table 13 Policy State Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the fabric if connected to a switch port listed in the same policy.
[*]Selects all ports and all devices attached to those ports. [3, 9]Selects ports 3 and 9 and all devices attached to those ports. [1-3, 9]Selects ports 1, 2, 3, 9, and all devices attached to those ports. 3. To save or activate the new policy, enter either the secPolicySave or the secPolicyActivate command. If neither of these commands is entered, the changes are lost when the session is logged out.
Creating an SCC policy The SCC policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time secure mode is enabled, the fabric is initialized with secure mode enabled, or an E_Port-to-E_Port connection is made. The policy is named SCC_POLICY, and accepts members listed as WWNs, domain IDs, or switch names. Only one SCC policy may be created.
If neither of these commands is entered, the changes are lost when the session is logged out. For more information about these commands, see ”Saving changes to Secure Fabric OS policies” on page 84 and ”Activating changes to Secure Fabric OS policies” on page 84.
• ”Deleting a policy” on page 86 Delete an entire policy; however, keep in mind that doing so opens up that aspect of the fabric to all access. • ”Aborting All uncommitted changes” on page 87 Abort all the changes to the Secure Fabric OS policies since the last time changes were saved or activated.
NOTE: Until a secPolicySave or secPolicyActivate command is issued, all policy changes are in volatile memory only and are lost upon rebooting. To activate changes to the Secure Fabric OS policies: 1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 2. Type the secPolicyActivate command: primaryfcs:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Committing configuration...done. Saving Defined FMPS ...
To add two devices to the DCC policy, to attach domain 3 ports 1 and 3 (WWNs of devices are 11:22:33:44:55:66:77:aa and 11:22:33:44:55:66:77:bb): primaryfcs:admin> secpolicyadd "DCC_POLICY_abc", "11:22:33:44:55:66:77:aa;11:22:33:44:55:66:77:bb;3(1,3)" Removing a member from a policy If all the members are removed from a policy, that policy becomes closed to all access. The last member cannot be removed from the FCS_POLICY, because a primary FCS switch must be designated.
NOTE: The FCS_POLICY cannot be deleted. primaryfcs:admin> secpolicydelete "MS_POLICY" About to delete policy MS_POLICY. Are you sure (yes, y, no, n):[no] y MS_POLICY has been deleted. Aborting All uncommitted changes You can use the secPolicyAbort command to abort all Secure Fabric OS policy changes that have not yet been saved. This function can only be performed from the primary FCS switch. To abort all unsaved changes: 1.
Creating Secure Fabric OS policies
4 Managing Secure Fabric OS Secure Fabric OS v2.6.2, v3.2.0,and v4.4.x can be managed through Fabric Manager and sectelnet. In addition, Secure Shell is supported for Fabric OS v4.4.x. When secure mode is enabled for a fabric, all Secure Fabric OS administrative operations, all zoning commands, and some management server commands must be executed on the primary FCS switch. For a list of the commands and related restrictions, see ”Secure Fabric OS commands” on page 117.
Displaying general Secure Fabric OS information You can use the secFabricShow command to display general Secure Fabric OS-related information about a fabric. To display general Secure Fabric OS-related information: 1. Open a sectelnet or Secure Shell session to the primary FCS switch and log in as admin. 2. Type the secFabricShow command. The command displays the switches in the fabric and their status (Ready, Error, Busy, or NoResp, for no response from the switch).
For example, to display all policies in both active and defined policy sets: primaryfcs:admin> secpolicydump ____________________________________________________ DEFINED POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.
For example, to display all the policies in the defined policy set: primaryfcs:admin> secpolicyshow "defined" ____________________________________________________ DEFINED POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.0 192.155.53.1 192.155.54.2 192.155.55.3 192.155.56.
2. Type the secModeShow command. The command displays the status of secure mode, the version number and time stamp, and the list of switches in the FCS policy. switch:admin> secmodeshow Secure Mode: ENABLED. Version Stamp: 9182, Wed Mar 13 16:37:01 2001. POS Primary WWN DId swName. ============================================= 1 Yes 10:00:00:60:69:00:00:5a 21 switch47. 2 No 12:00:00:60:60:03:23:5b 5 switch12. Table 15 identifies the information that displays if secure mode is enabled.
NOTE: Rebooting the switch resets all the statistics. Secure Fabric OS statistics can also be monitored through Fabric Watch. Each statistic indicates the number of times the monitored event has occurred since the statistics were last reset (secStatsReset command). For the Telnet policy, this includes all the automated login attempts made by the sectelnet or Secure Shell client software, in addition to the actual attempts made by the user.
Secure Fabric OS statistics (continued) Table 16 Statistic Definition DCC_POLICY The number of attempted violations to the DCC policy. Note: Fabric OS v4.4.x increase the counter by 1 for each drive in a JBOD; Fabric OS v3.2.0 increases the counter by 1 for the entire JBOD. LOGIN The number of invalid login attempts. INVALID_TS (invalid timestamps) A received packet has a time stamp that differs from the time of the receiving switch by more than the maximum allowed difference.
Displaying Secure Fabric OS statistics Use the secStatsShow command to display statistics for one or all Secure Fabric OS policies, depending on the operand entered. This command can only be issued from the primary FCS switch if the “list” operand is specified. If the “list” operand is not specified, this command can be entered from any switch in the fabric. NOTE: On dual-CP directors, statistics are maintained separately on each CP and are counted only on the active CP.
name is the name of the statistic or the policy that relates to the statistic. The valid statistic names are listed in Table 16. You can enter an asterisk (*) to indicate all Secure Fabric OS statistics. list is a list of the domain IDs for which to reset the statistics. You can enter an asterisk (*) to indicate all switches in the fabric. The default value is that of the local switch. If neither operand is specified, all statistics for all Secure Fabric OS policies are reset to 0.
You can use the multiple user account (MUA) feature of Fabric OS v3.2.0 and v4.4.x if the primary FCS switch is running either Fabric OS version. The other switches do not need to be running a version of Fabric OS supporting MUA. If a digital certificate is installed, the sectelnet and API passwords are automatically encrypted, regardless of whether secure mode is enabled. HTTP only encrypts passwords if secure mode is enabled.
Table 17 on page 99 summarizes login account behavior with secure mode disabled and enabled. Table 17 Login account behavior with Secure Mode disabled and enabled Login account Secure mode disabled Secure mode enabled User Available on all switches. Recommended for all non-administrative options. Password is specific to each switch; can modify using passwd command. Available on all switches. Can create temporary passwords. Can use to modify user password. Admin Available on all switches.
Modifying passwords in Secure mode The passwd command can be used to modify the fabric-wide user password and the passwords for the FCS switches. The secNonFCSPasswd can be used to modify the admin password for non-FCS switches. NOTE: If the password is changed for a login account, all open sessions using that account are terminated, including the session from which the passwd command was executed, if applicable.
To modify the admin password for non-FCS switches: 1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. Type the secNonFCSPasswd command. 2. Type the new non-FCS admin password at the prompt. The password can be anywhere from 8 to 40 alphanumeric characters in length. This password becomes the admin password for all non-FCS switches in the fabric. 3. Reenter the new non-FCS admin password at the prompt.
5. Reenter the password exactly as entered the first time. For example, to create a temporary password for the admin account on a switch that has a Domain ID of 2: primaryfcs:admin> sectemppasswdset 2, ”admin” Set remote switch admin password: swimming Re-enter remote switch admin password: swimming Committing configuration........done Password successfully set for domain 2 for admin. Removing a temporary password from a switch The secTempPasswdReset command can be used to remove the temporary password.
To display the version number and time stamp of a fabric: 1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 2. Type the secModeShow command. To reset the time stamp of a fabric to 0: 1. From a sectelnet or Secure Shell session, log in to the primary FCS switch as admin. 2. Type the secVersionReset command. If the fabric contains no FCS switch, you can enter the secVersionReset command on any switch.
Table 18 indicates the results of moving switches in and out of fabrics with secure mode enabled or disabled.
NOTE: Although the following procedure does not require rebooting the fabric, there is potential for segmentation or other disruption to the fabric due to the number of factors involved in the merge process. To merge two or more fabrics that have Secure Fabric OS implemented: 1. As a precaution, back up the configuration of each fabric to be merged by entering the configUpload command and completing the prompts.
b. Type the command supported by the Fabric OS installed on the switch: • For Fabric OS v4.4.x, enter pkiShow. • For Fabric OS v2.6.2 and v3.2.0, enter configShow “pki”. A list displays the PKI objects currently installed on the switch. NOTE: “Root Certificate” is an internal PKI object. “Certificate” is the digital certificate. c. Verify that all of the objects display “Exist”.
12.Verify that the fabric that contains the final primary FCS switch has a nonzero version stamp by logging into the fabric and entering the secModeShow command. If this fabric does not show a nonzero version stamp, modify a policy and enter either the secPolicySave or secPolicyActivate command to create a nonzero version stamp. Set the version stamp of the other fabrics to 0 by logging in to each fabric and entering the secVersionReset command. 13.
Table 19 Recovery processes (continued) Symptom Possible causes Recommended actions Commands cannot be executed from any switch in the fabric. All FCS switches have failed but secure mode is still enabled, preventing access to fabric. Type the secModeEnable command from the switch that you want to become the new primary FCS switch, and specify the FCS switches. Cannot access some or all switches in the fabric. The MAC policies are restricting access.
Table 19 Recovery processes (continued) Symptom Possible causes Recommended actions One or more CLI sessions is automatically logged out. Password might have been modified for login account in use, the secModeEnable command might have been issued, or switches might have changed switch roles (primary to backup, backup to primary and so forth). Try closing and reopening CLI session.
Table 19 Recovery processes (continued) Symptom Possible causes Recommended actions The message “The page cannot be displayed” is displayed when HTTP access is attempted, and response time is slow. An HTTP policy has been created but has no members. Add the desired members to the HTTP policy. Unable to establish a sectelnet/SSH session to the IP address of the active CP of a Core Switch 2/64 or SAN Director 2/128, or a session to the standby CP is disconnected when it becomes the active CP.
Table 19 Recovery processes (continued) Symptom Possible causes Recommended actions One or more switches is segmented from the fabric. SCC_POLICY is excluding the segmented switches. Use the secPolicyAdd command on the primary FCS switch to add the switches to the SCC_POLICY. Note: For instructions on rejoining fabrics, refer to the instructions in ”Adding switches and merging fabrics with Secure mode enabled” on page 103.
Table 19 Recovery processes (continued) Symptom Possible causes Recommended actions When the SCC policy is created after a fabric segmentation, it automatically includes the segmented FCS switches. The segmented FCS switches are still listed in the FCS policy. Modify FCS policy to remove segmented FCS switches; then, modify or create the SCC policy as required. Passwords that should be consistent across the fabric are not consistent.
Frequently asked questions This section organizes the frequently asked questions into the following groups: • General, page 113 • Management access, page 114 • Digital certificates and PKI objects, page 114 • Merging fabrics, page 116 • Passwords, page 116 General Is Secure Fabric OS standards-based? Yes. Secure Fabric OS uses standards-based security mechanisms and protocols. Which switches and fabrics support Secure Fabric OS? Any switch that is running Fabric OS v2.6.2, v3.2.0, or v4.4.
Does Secure Fabric OS prevent all unauthorized access? There is no 100 percent protection in any network; however, the Secure Fabric OS product makes it possible for the administrator to create a significantly increased level of security that is customized to the fabric. After Secure Fabric is turned on, can it be turned off again? Yes, by using the secModeDisable command. Turning secure mode off does not disrupt traffic.
PKI stands for Pubic Key Infrastructure; it refers to the use of cryptography to provide security (authentication, encryption, and so on.). Can digital certificates be duplicated or installed on other switches? No; digital certificates correspond to the switch WWN and the private/public key pair generated by the switch. Does the digital certificate have to be reinstalled if the motherboard is replaced? This depends on the version of Fabric OS on the new motherboard. Hardware shipped with Fabric OS v3.2.
Merging fabrics Which switch becomes the primary FCS switch when fabrics are merged? The first switch that is listed in the shared FCS policy for the merged fabric. If the FCS policies of the fabrics do not match before the merge, the fabrics segment. What happens to the zoning information when fabrics are merged? The switch that succeeds as the primary FCS switch distributes its zoning information to all the switches in the newly merged fabric.
A Secure Fabric OS commands and Secure Mode restrictions Secure Fabric OS commands, zoning commands, and some management server commands must be entered through the primary FCS switch. This appendix provides the following information: • Secure Fabric OS commands, page 117 • Command restrictions in Secure mode, page 122 For more detailed information about commands, refer to the HP StorageWorks Fabric OS 4.x procedures user guide.
Table 20 lists all the commands available for managing Secure Fabric OS. Table 20 Secure Fabric OS commands Command Access Description level Secure Mode and NonSecure mode Switches to use authUtil admin Displays current authentication parameters and lets you set the protocol used to authenticate switches. Both Any pkiCreate admin Re-creates the PKI objects on the switch. See ”Recreating PKI objects if required” on page 39. Nonsec ure mode n.a.
Table 20 Secure Fabric OS commands (continued) Command Access Description level Secure Mode and NonSecure mode Switches to use secFCSFailover admin Transfers the role of the primary FCS switch to the next switch in the FCS policy. See ”Failing over the primary FCS switch” on page 64. Secure mode Backup FCS switch secGlobalShow admin Displays current state information for Secure Fabric OS, such as version stamp and status of transaction in progress.
Table 20 Secure Fabric OS commands (continued) Command Access Description level Secure Mode and NonSecure mode Switches to use secPolicyAbort admin Aborts all policy changes since changes were last saved. See ”Aborting All uncommitted changes” on page 87. secure mode Primary FCS switch secPolicyActivate admin Activates all policy changes since this command was last issued. All activated policy changes are stored in the active policy set.
Table 20 Secure Fabric OS commands (continued) Command Access Description level Secure Mode and NonSecure mode Switches to use secPolicySave admin Saves all policy changes since either secPolicySave or secPolicyActivate were last issued. All policy changes that are saved but not activated are stored in the defined policy set. See ”Saving changes to Secure Fabric OS policies” on page 84. secure mode Primary FCS switch secPolicyShow admin Shows members of one or more policies.
Table 20 Secure Fabric OS commands (continued) Command Access Description level Secure Mode and NonSecure mode Switches to use secTransAbort admin Aborts the current Secure Fabric OS transaction. See ”Aborting a Secure Fabric OS transaction” on page 87. Both Any secVersionReset admin Resets version stamp. See ”Resetting the version number and time stamp” on page 102. Secure mode Primary FCS switch; if not available, then non-FCS switch.
Table 21 Zoning commands (continued) Command Primary FCS switch Backup FCS switch Non-FCS switch aliRemove Yes No No aliShow Yes Yes No cfgAdd Yes No No cfgClear Yes No No cfgCreate Yes No No cfgDelete Yes No No cfgDisable Yes No No cfgEnable Yes No No cfgRemove Yes No No cfgSave Yes No No cfgShow Yes Yes No cfgSize Yes Yes Yes cfgTransAbort Yes No No cfgTransShow Yes Yes No faZoneAdd Yes No No faZoneCreate Yes No No faZoneDelete Yes No
Table 21 Zoning commands (continued) Command Primary FCS switch Backup FCS switch Non-FCS switch qloopDelete Yes No No qloopRemove Yes No No qloopShow Yes No No zoneAdd Yes No No zoneCreate Yes No No zoneDelete Yes No No zoneRemove Yes No No zoneShow Yes No No Miscellaneous commands Table 22 lists which miscellaneous commands, including management server and SNMP commands, can be executed on which switches.
Table 22 Miscellaneous commands (continued) Command Primary FCS switch Backup FCS switch Non-FCS switch date Yes Yes (read only) Yes (read only) date Yes No No msCapabilityShow Yes Yes Yes msConfigure Yes (except ACL does not display) Yes (except ACL does not display) Yes (except ACL does not display) msPlatShow Yes Yes Yes msplClearDB Yes No No msplMgmtActivate Yes No No msplMgmtDeactiva Yes te No No mstdDisable Yes Yes Yes mstdDisable “all” Yes
Table 22 Miscellaneous commands (continued) Command Primary FCS switch Backup FCS switch Non-FCS switch userConfig Yes No (only allows display) No (only allows display) wwn (display only; cannot modify WWNs in secure mode) Yes Yes Yes 126 Secure Fabric OS commands and Secure Mode restrictions
B Removing Secure Fabric OS Secure Fabric OS capability can be removed from a fabric by disabling secure mode and deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure Fabric OS capability is not recommended unless absolutely required. If at all possible, consider disabling only secure mode and leaving the Secure Fabric OS feature available so that secure mode can be reenabled if desired.
Disabling Secure mode Secure mode is enabled and disabled on a fabric-wide basis and can be enabled and disabled as often as desired. However, all Secure Fabric OS policies, including the FCS policy, are deleted each time secure mode is disabled, and must be re-created the next time it is enabled. The policies can be backed up using the configUpload and configDownload commands. For more information about these commands, refer to the HP StorageWorks Fabric OS 4.x command reference manual.
Deactivating the Secure Fabric OS license on each switch Deactivating the Secure Fabric OS license is not required to disable Secure Fabric OS functionality. NOTE: If the user installs and activates a feature license and then removes the license, the feature is not disabled until the next time system is rebooted or a switch enable/disable is performed. To deactivate the software license: 1. Open a CLI connection (serial or telnet) to the switch. 2.
Removing Secure Fabric OS
Glossary A AL_PA Arbitrated loop physical address. A unique 8-bit value assigned during loop initialization to a port in an arbitrated loop. alias server A fabric software facility that supports multicast group management. API Application programming interface. A defined protocol that allows applications to interface with a set of services. AW_TOV Arbitration wait time-out value. The minimum time an arbitrating L_Port waits for a response before beginning loop initialization.
Configuration The way in which a system is set up. May refer to hardware or software. Hardware: The number, type, and arrangement of components that make up a system or network. Software: The set of parameters that guide switch operation. May include general system parameters, IP address information, domain ID, and other information. Modifiable by any login with administrative privileges. May also refer to a set of zones. CRC Cyclic redundancy check.
E E_D_TOV Error detect time-out value. The minimum amount of time a target waits for a sequence to complete before initiating recovery. Can also be defined as the maximum time allowed for a round-trip transmission before an error condition is declared. E_Port Expansion port. A type of switch port that can be connected to an E_Port on another switch to create an ISL. EE_Credit End-to-end credit. The number of receive buffers allocated by a recipient port to an originating port.
fill word An IDLE or ARB ordered set that is transmitted during breaks between data frames to keep the fibre channel link active. FL_Port Fabric loop port. A port that is able to transmit under fabric protocol and also has arbitrated loop capabilities. Can be used to connect an NL_Port to a switch. FRU Field-Replaceable Unit. A component that can be replaced on site. FS Fibre Channel Service. A service that is defined by fibre channel standards and exists at a well-known address.
K K28.5 A special 10-bit character used to indicate the beginning of a transmission word that performs fibre channel control and signaling functions. The first seven bits of the character are the comma pattern. kernel flash Flash (temporary) memory connected to the peripheral bus of the processor, and visible within the processor's memory space. Also known as “user flash”. L L_Port Loop port. A node port (NL_Port) or fabric port (FL_Port) that has arbitrated loop capabilities.
M master port The port that determines the routing paths for all traffic flowing through a trunking group. One of the ports that is in the first ISL in the trunking group is designated as the master port for that group. MIB Management Information Base. An SNMP structure to help with device management, providing configuration and device information. multicast The transmission of data from a single source to multiple specified N_Ports (as opposed to all the ports on the network). N N_Port Node port.
point-to-point A fibre channel topology that employs direct links between each pair of communicating entities. port cage The metal casing extending out of the fibre channel port on the switch, and into which a GBIC or SFP transceiver can be inserted. Port_Name The unique identifier assigned to a fibre channel port. Communicated during login and port discovery. POST Power On Self-Test. A series of tests run by a switch after it is powered on.
RR_TOV Resource recovery time-out value. The minimum time a target device in a loop waits after a LIP before logging out a SCSI initiator. RSCN Registered state change notification. A switch function that allows notification of fabric changes to be sent from the switch to specified nodes. S SAN Storage Area Network. A network of systems and storage devices that communicate using fibre channel protocols. SDRAM The main memory for the switch.
T tenancy The time from when a port wins arbitration in a loop until the same port returns to the monitoring state. Also referred to as loop tenancy. throughput The rate of data flow achieved within a cable, link, or system. Usually measured in bps (bits per second). topology As applies to fibre channel, the configuration of the fibre channel network and the resulting communication paths allowed. There are three possible topologies: Point to point: A direct link between two communication ports.
Z zone A set of devices and hosts attached to the same fabric and configured as being in the same zone. Devices and hosts within the same zone have access permission to others in the zone, but are not visible to any outside the zone. zone configuration A specified set of zones. Enabling a configuration enables all zones in that configuration.
Index A aborting a Secure Fabric OS transaction 87 aborting all uncommitted changes 87 accessing PKI certificate help 44 account passwords customizing 23 activating a license key 24 activating a policy 84 activating changes to Secure Fabric OS policies 84 active policy set 15 Adding 46 adding a member to an existing policy 85 adding Secure Fabric OS to a fabric 20 adding Secure Fabric OS to SAN switches 21 adding Secure Fabric OS to Switches that require upgrading 25 adding switches with secure mode enabled
loading 34 obtaining 34 verifying 38, 39 digital certificates and PKI objects 114 disabling secure mode 128 display general information 90 displaying and resetting Secure Fabric OS statistics 93 displaying general Secure Fabric OS information 90 displaying individual Secure Fabric OS policies 91 displaying Secure Fabric OS statistics 96 displaying statistics 93 displaying status of secure mode 92 distributing digital certificates to the switches 34 document conventions 8 related documentation 7 G E joini
N non-FCS switches 15 O obtaining the digital certificate file 34 Options policy creating 78 P passwords 116 PKI 13 PKI certificate help accessing 44 PKI certificate reports creating 40 PKI objects and digital certificates 114 PKICERT utility 28 PKICert Utility installing 28 policies aborting current transaction 87 activating 84 adding members 85 API MAC 72 creating 68, 78, 79, 82 DCC 79 deleting 86 deleting a policy 86 Front Panel 77 HTTP 71 identifying members 67 MAC 68 Management Server 75 Options 78 r
adding to a fabric 20 adding to switches that require upgrading 25 adding to v3.2.x or v4.4.