HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)
Fabric OS 6.x administrator guide 109
Removing a member from an ACL policy
To remove a member from an ACL policy:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Type secPolicyRemove “policy_name”, “member;...;member”.
where policy_name is the name of the ACL policy. member is the device or switch to be removed
from the policy, identified by IP address, switch Domain ID, device or switch WWN, or switch name.
3. To implement the change immediately, enter the secPolicyActivate command.
For example, to remove a member that has a WWN of 12:24:45:10:0a:67:00:40 from SCC_POLICY:
switch:admin> secpolicyremove "SCC_POLICY", "12:24:45:10:0a:67:00:40"
Member(s) have been removed from SCC_POLICY.
Deleting an ACL policy
To delete an ACL policy:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Type secPolicyDelete “policy_name”.
where policy_name is the name of the ACL policy.
3. To implement the change immediately, enter the secPolicyActivate command.
switch:admin> secpolicydelete "DCC_POLICY_ALL"
About to delete policy Finance_Policy.
Are you sure (yes, y, no, n):[no] y
Finance_Policy has been deleted.
Aborting all uncommitted changes
Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved.
To abort all unsaved changes:
1. Connect to the switch and log in using an account assigned to the admin role.
2. Type the secPolicyAbort command:
switch:admin> secpolicyabort
Unsaved data has been aborted.
All changes since the last time the secPolicySave or secPolicyActivate commands were
entered are aborted.
Configuring the authentication policy for fabric elements
By default, Fabric OS 6.0.0 uses DH-CHAP or FCAP protocols for authentication. These protocols use
shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI)
technology to authenticate switches. Authentication automatically defaults to FCAP if both switches are
configured to accept FCAP protocol in authentication.
NOTE: The fabric authentication feature is available in base Fabric OS. No license is required.
You can configure a switch with Fabric OS 5.3.0 or later to use Diffie-Hellman challenge handshake
authentication protocol (DH-CHAP) for device authentication. Use the authUtil command to configure
the authentication parameters used by the switch. When you configure DH-CHAP authentication, you also
must define a pair of shared secrets known to both switches as a secret key pair. Figure 1 on page 110
illustrates how the secrets are configured. A secret key pair consists of a local secret and a peer secret. The
local secret uniquely identifies the local switch. The peer secret uniquely identifies the entity to which the
local switch authenticates. Every switch can share a secret key pair with any other switch or host in a
fabric.
In order to use DH-CHAP authentication, a secret key pair has to be configured on both switches. To use
FCAP on both switches, PKI certificates have to be installed. You can use the command