Manualshelf

HP StorageWorks Secure Fabric OS 5.0.0 User Guide (AA-RW1UA-TE, May 2005)

ManualsBrandsHP ManualsStorageBrocade BladeSystem 4/24 SAN Switch
111112113114115116117118119120
115Secure Fabric OS 5.0.0 user guide
PKI stands for Pubic Key Infrastructure; it refers to the use of cryptography to provide
security (authentication, encryption, and so on.).
Can digital certificates be duplicated or installed on other switches?
No; digital certificates correspond to the switch WWN and the private/public key pair
generated by the switch.
Does the digital certificate have to be reinstalled if the motherboard is replaced?
This depends on the version of Fabric OS on the new motherboard. Hardware shipped
with Fabric OS v3.2.0 or v4.4.x automatically includes digital certificates. To determine
whether the new motherboard already has a digital certificate, follow the instructions for
verifying the PKI objects.
Do all switches already have a digital certificate?
No, only switches that were shipped with v3.2.0 or v4.4.x installed have digital
certificates. For switches that are upgraded, follow the procedures provided in ”Adding
Secure Fabric OS to switches that require upgrading” on page 25.
How can I tell whether the digital certificate or PKI objects are available on a switch?
For Fabric OS v4.4.x, enter the pkiShow command. For Fabric OS v3.2.0, enter
configShow "pki".
What happens if the PKI objects are deleted?
PKI objects cannot be deleted in secure mode. If they are deleted when secure mode is
disabled, secure mode cannot be reenabled until they are regenerated. If any PKI objects
are missing, all the PKI objects should be deleted using the pkiRemove command and
then regenerated using the pkiCreate command or by rebooting the switch (any missing
PKI objects, except the digital certificate, are automatically regenerated when the switch is
rebooted). If the digital certificate is deleted, it must be reinstalled on the switch according
to the instructions provided in ”Distributing digital certificates to the switches” on page 34.
For Fabric OS v3.2.0, use configRemove to remove all the PKI objects,
configUpload, and then fastboot the switch. After the switch reboots, all PKI objects are
available except for the certificate.
Are PKI objects required for any switch operations other than Secure Fabric OS?
The PKI objects are only required for Secure Fabric OS and the sectelnet client.
Why can I issue the secModeEnable command with an invalid certificate?
Web Tools and Fabric OS are not consistent in reporting switch certificate status. Web
Tools reports a valid certificate with extra characters appended as invalid, whereas Fabric
OS accepts the certificate and allows the secModeEnable command to complete
successfully.