Manualshelf

Brocade Secure Fabric OS Administrator's Guide - Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0, and 5.3.0 (53-1000244-02, June 2007)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/8 Base SAN Switch
11121314151617181920
4 Secure Fabric OS Administrator’s Guide
53-1000244-02
1
USING DH-CHAP
Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 use Diffie-Hellman with
Challenge-Handshake Authentication Protocol (DH-CHAP) shared secrets to provide
switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric.
(DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see “Using
PKI”). It should be explicitly enabled to authenticate using DH-CHAP.
Using the authUtil command, you can control which authentication protocols. You can specify that
FCAP only, DH-CHAP only, or either be used. If either is permitted, the default order (FCAP,
DH-CHAP) is used. The actual protocol is selected during dynamic negotiation.
DH-CHAP requires a pair of shared secret keys—shared secrets—between each pair of switches
authenticating with DH-CHAP. Use the secAuthSecret command to manage shared secrets. See the
Fabric OS Command Reference Manual for details of the authUtil and secAuthSecret commands
and see “Configuring Switch-to-Switch Authentication” on page 26 for a basic procedure for
configuring DH-CHAP.
Fabric Configuration Server Switches
Fabric configuration server (FCS) switches are one or more switches that are specified as “trusted”
switches for managing Secure Fabric OS. These switches should be both electronically and
physically secure. At least one FCS switch must be specified to act as the primary FCS switch, and
one or more backup FCS switches are recommended to provide failover ability in case the primary
FCS switch fails.
If your primary FCS switch runs Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, or v5.3.0 you
should not use a Fabric OS v2.6.2 switch (or a switch running older versions of Fabric OS v3.x.x or
v4.x.x) as a backup FCS switch. Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, v5.2.0, and v5.3.0 have
features, such as a larger secure database (128K in v3.2.0 and 256K in v4.4.0, v5.0.1, v5.1.0, and
v5.2.0), multiple user account (MUA), RADIUS, password policies, and an SSL certificate, all of
which are not supported by older releases.
FCS switches are specified by listing their WWNs in a specific policy called the FCS policy. The first
switch that is listed in this policy and participating in the fabric acts as the primary FCS switch; it
distributes the following information to the other switches in the fabric:
Zoning configuration
Secure Fabric OS policies
Fabric password database
SNMP community strings
System date and time
NOTE
The role of the FCS switch is separate from the role of the principal switch, which assigns domain
IDs. The role of the principle switch is not affected by whether secure mode is enabled.
When secure mode is enabled, only the primary FCS switch can propagate management changes
to the fabric. When a new switch joins the fabric, the primary FCS switch verifies the digital
certificate; then it provides the current configuration, overwriting the existing configuration of the
new switch.