HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch

101

102

103

104

105

106

107

108

109

110

110 Configuring advanced security features

authutil –-set <fcap|dhchap> to set the authentication protocol which can then be verified using

the command authutil –-show CLI.

NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with

the SLAP protocol that was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, 2.6.x.

Fabric OS 6.0.0 switch-to-switch authentication implementation is fully backward compatible with 3.2, 4.2,

4.4, 5.0, 5.1, 5.2, and 5.3.0.

Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair are used

for authentication. Authentication occurs whenever there is a state change for the switch or port. The state

change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy.

Figure 1 DH-CHAP authentication

If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric

elements. However, as connections are changed, new secret key pairs must be installed between newly

connected elements. Alternatively, a secret key pair for all possible connections may be initially installed,

enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new

connection.

The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy

is persistent across reboots, which means authentication will be initiated automatically on ports or switches

brought online if the policy is set to activate authentication. The AUTH policy is distributed using the

distribute command. The automatic distribution of the AUTH policy is not supported.

The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The

switch may be configured to negotiate FCAP, DH-CHAP, or both.

The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group

information, but does not use it.

The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 6.0.0

and pre-6.0.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 6.0.0

switches to pre-6.0.0 switches. These policy states do not allow switches to send the authentication

negotiation and therefore continue with the rest of port initialization.

E_Port authentication

The authentication (AUTH) policy allows you to configure the DH-CHAP authentication on the switch. By

default the policy is set to PASSIVE and you can change the policy using the authutil command All

changes to the AUTH policy are effective. This includes starting authentication on all E_Ports on the local

switch if the policy is changed to ON or ACTIVE, and clearing the authentication if the policy is changed

to OFF. The authentication configurations will be effective only on subsequent E_ and F_Port initialization.

A secret key pair has to be installed prior to changing the policy. The policy can be configured as follows:

$authutil –-policy -sw <ON|ACTIVE|PASSIVE|OFF>

Switch A

Switch B

Key database on switch

Local secret A

Peer secret B

Key database on switch

Local secret B

Peer secret A