HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

121

122

123

124

125

126

127

128

129

130

Fabric OS 6.1.1 administrator guide 121

Supported HBAs

The following HBAs support authentication:

• Emulex LP11000 (Tested with Storport Miniport 2.0 windows driver)

• Qlogic QLA2300 (Tested with Solaris 5.04 driver)

Authentication protocols

Use the authUtil command to perform the following tasks:

• Display the current authentication parameters

• Select the authentication protocol used between switches

• Select the Diffie-Hellman (DH) group for a switch

Run the authUtil command on the switch you want to view or change. Options for specifying which DH

group you want to use include:

• 00 – DH Null option

• 01 – 1024 bit key

• 02 – 1280 bit key

• 03 – 1536 bit key

• 04 – 2048 bit key

This section illustrates the use of the authUtil command to display the current authentication parameters

and to set the authentication protocol to DH-CHAP. See the Fabric OS command reference for details on

the authUtil command.

To view the current authentication parameter settings for a switch:

1. Log in to the switch using an account assigned to the admin role.

2. On a switch running Fabric OS 6.0 or later, issue the authUtil --show command.

Output similar to the following is displayed:

AUTH TYPE HASH TYPE GROUP TYPE

--------------------------------------

fcap,dhchap sha1,md5 0, 1, 2, 3, 4

Switch Authentication Policy: PASSIVE

Device Authentication Policy: OFF

To set the authentication protocol used by the switch to DH-CHAP:

1. Log in to the switch using an account assigned to the admin role.

2. On a switch running Fabric OS 4.x or 5.x, enter authUtil --set -a dhchap; on a switch running

Fabric OS 3.x, enter authUtil "

--set -a dhchap".

Output similar to the following is displayed:

Authentication is set to dhchap.

When using DH-CHAP, make sure that you configure the switches at both ends of a link.

NOTE: If you set the authentication protocol to DH-CHAP, have not yet configured shared secrets, and

authentication is checked (for example, you enable the switch), switch authentication fails.

E_Port re-authentication

Use the command authutil to re-initiate the authentication on selected ports. It provides flexibility to

initiate authentication for specified E_Ports, set of E_Ports, and all E_Ports on the switch. This command will

not work on Private, Loop, NPIV and FICON devices. The command authutil can re-initiate

authentication only if the device was previously authenticated. If the authentication fails because shared

secrets do not match, the port is disabled.