Secure Fabric OS Administrator’s Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.
Copyright © 2003-2006 Brocade Communications Systems, Incorporated. ALL RIGHTS RESERVED. Brocade, the Brocade B weave logo, Fabric OS, File Lifecycle Manager, MyView, Secure Fabric OS, SilkWorm, and StorageX are registered trademarks and Tapestry is a trademark of Brocade Communications Systems, Inc., in the United States and/or in other countries. FICON is a registered trademarks of IBM Corporation in the U.S. and other countries.
Brocade Communications Systems, Incorporated Corporate Headquarters Brocade Communications Systems, Inc. 1745 Technology Drive San Jose, CA 95110 Tel: 1-408-333-8000 Fax: 1-408-333-8101 Email: info@brocade.com European and Latin American Headquarters Brocade Communications Switzerland Sàrl Centre Swissair Tour A - 2ème étage 29, Route de l'Aéroport Case Postale 105 CH-1215 Genève 15 Switzerland Tel: +41 22 799 56 40 Fax: +41 22 799 56 41 Email: emea-info@brocade.
Document History The following table lists all versions of the Secure Fabric OS Administrator’s Guide. Document Title Publication Number Summary of Changes Publication Date Secure Fabric OS User’s Guide v2.6 53-0000195-02 First release. January 2001 Secure Fabric OS User’s Guide v3.1.0/4.1.0 53-0000526-02 Examples, information about new features, and new procedures were added. The book was reorganized for greater ease of use.
Contents About This Document Chapter 1 Chapter 2 How This Document Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Supported Hardware and Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x What’s New in This Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Document Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi Text Formatting. . . . . . . . . . . . . .
Verifying the Digital Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Displaying the Digital Certificate Status . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 Creating PKI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Removing PKI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Obtaining the Digital Certificate File . . . . . . . . . . . . . . . . . . . . . . . . . . .
Chapter 4 Managing Secure Fabric OS Viewing Secure Fabric OS Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 Displaying General Secure Fabric OS Information . . . . . . . . . . . . . . . . . 4-2 Viewing the Secure Fabric OS Policy Database . . . . . . . . . . . . . . . . . . . . 4-2 Displaying Individual Secure Fabric OS Policies. . . . . . . . . . . . . . . . . . . 4-3 Displaying Status of Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
viii Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.2.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0.
Supported Hardware and Software In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc. for v3.2.x, v4.4.x, v5.0.1, v5.1.0, and v5.2.0 documenting all possible configurations and scenarios is beyond the scope of this document.
Document Conventions This section describes text formatting conventions and important notices formats.
Key Terms For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at http://www.snia.org/education/dictionary. Additional Information This section lists additional Brocade and industry-specific documentation that you might find helpful.
SilkWorm 48000 • • • • SilkWorm 48000 Hardware Reference Manual SilkWorm 48000 QuickStart Guide FR4-18i Hardware Reference Manual FC4-16IP Hardware Reference Manual SilkWorm 24000 • • SilkWorm 24000 Hardware Reference Manual SilkWorm 24000 QuickStart Guide SilkWorm 24000/48000 • • • • • • • • • Port Blade and Filler Panel Replacement Procedure Control Processor Blade Replacement Procedure Blower Assembly Replacement Procedure Cable Management Tray and Guide Replacement Procedure Chassis Door Replace
• • SilkWorm 3900 Motherboard Assembly Replacement Procedure SilkWorm 3900 Power Supply Replacement Procedure SilkWorm 3250/3850 • • SilkWorm 3250/3850 Hardware Reference Manual (for v4.x software) SilkWorm 3250/3850 QuickStart Guide (for v4.x software) SilkWorm 200E • SilkWorm 200E Hardware Reference Manual (for v5.
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site: http://www.fibrechannel.org Getting Technical Help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: 1. General Information • • • • • • • • • 2.
3. World Wide Name (WWN) • SilkWorm 200E, 3014, 3016, 3250, 3600, 3850, 3900, 4100, 4900, 7500 switches and SilkWorm 24000, and 48000 directors: Provide the license ID. Use the licenseIdShow command to display the license ID. • SilkWorm Multiprotocol Router Model AP7420: Provide the switch WWN. Use the switchShow command to display the switch WWN. • All other SilkWorm switches: Provide the switch WWN. Use the wwn command to display the switch WWN.
Chapter Introducing Secure Fabric OS 1 Brocade Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on a SilkWorm fabric.
1 Management Channel Security Secure Fabric OS can be used to provide policy-based access control of local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, and management server. Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP, management server, HTTP, and API.
1 sectelnet The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 include the sectelnet server; the sectelnet client must be installed on the workstation computer. The sectelnet client can be used as soon as a digital certificate is installed on the switch. sectelnet access is configurable by the Telnet policy. Telnet Standard telnet is not available when secure mode is enabled.
1 Using DH-CHAP Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use Diffie-Hellman with ChallengeHandshake Authentication Protocol (DH-CHAP) shared secrets to provide switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric. (DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see “Using PKI”). It should be explicitly enabled to authenticate using DH-CHAP.
1 Because the primary FCS switch distributes the zoning configuration, zoning databases do not merge when new switches join the fabric. Instead, the zoning information on the new switches is overwritten when the primary FCS switch downloads zoning to these switches, if secure mode is enabled on all of them. For more information about zoning, see the Fabric OS Administrator’s Guide. For more information about merging fabrics, see “Adding Switches and Merging Fabrics with Secure Mode Enabled” on page 4-13.
1 Secure Fabric OS supports the following policies: • FCS policy—Use to specify the primary FCS and backup FCS switches. This is the only required policy. • Management access control (MAC) policies—Use to restrict management access to switches. The following specific MAC policies are provided: - Read and Write SNMP policies. Use to restrict which SNMP hosts are allowed read and write access to the fabric. - Telnet policy.
Chapter Preparing the Fabric for Secure Fabric OS 2 Secure Fabric OS is supported by Fabric OS v2.6.2, v3.1.0, v4.1.0 and later; it can be added to fabrics that contain any combination of these versions. This manual applies to v5.2.0 only, it is based on the assumption that a compatible version of Fabric OS is running on all switches in the fabric before adding Secure Fabric OS. Note Adding Secure Fabric OS to the fabric might require access to the Web site of the switch support supplier.
2 • Remove user-defined Administrative Domains: Secure mode does not support Administrative Domains, therefore remove all user-defined ADs (AD1-254). • Disable Administrative Domains and assign users to default AD. Set Administrative Domains to disabled and assign all users to the default Administrative Domain of their role. For more information about Administrative Domain assignments, see the Fabric OS Administrator’s Guide. • Fabric-wide consistency policy is not defined.
2 To identify the current version of Fabric OS: 1. Open a serial or telnet connection to each of the switches in the fabric and log in as admin. 2. Type the version command. For example, entering the version command on a SilkWorm 3900: switch3900:admin> version Kernel: 2.4.19 Fabric OS: v5.1.0 Made on: Fri Nov 11 11:12:36 2005 Flash: Tue Dec 6 18:03:35 2005 BootProm: 4.5.3 To upgrade the Fabric OS: The firmware upgrade process depends on the type of switch and management interface.
2 3. If the Secure Fabric OS and Advanced Zoning licenses are already listed, the features are already available and the remaining steps are not required; continue if either license is not listed. 4. Contact the switch supplier to purchase the required license key. 5. After the key is received, type licenseAdd “key”. key is the license key string exactly as provided by the switch supplier; it is case sensitive. You can copy it from the email in which it was provided directly into the CLI.
2 The command displays the status of the PKI objects. Note “Root Certificate” is an internal PKI object. “Certificate” is the digital certificate. Displaying PKI objects on Fabric OS v4.x or later: switch:admin> pkishow Passphrase : Exist Private Key : Exist CSR : Exist Certificate : Exist Root Certificate: Exist Displaying PKI objects on Fabric OS v3.2.0: switch:admin> configshow “pki” Passphrase : Exist Private Key : Exist CSR : Exist Certificate : Exist Root Certificate: Exist 3.
2 4. Type the pkiShow command. If the switch is a two-domain SilkWorm 24000, enter this command on both logical switches. switch:admin> pkishow Passphrase : Exist Private Key : Exist CSR : Exist Certificate : Empty Root Certificate: Exist The command displays the status of the PKI objects. 5. Repeat for any other switches, as required. Removing PKI Objects You cannot delete PKI objects in secure mode.
2 Obtaining the Digital Certificate File The switch supplier provides the digital certificates in an XML file that is generated in response to the CSRs. Generally, the digital certificate file is provided by email.
2 Using the PKICert Utility to Obtain CSR The PKICert utility makes it possible to retrieve certificate signing requests (CSRs) from all the switches in the fabric and save them into a CSR file in XML format. PKICert also allows the user to create license reports, and it provides online help. (CSRs and PKI digital certificates also are used in Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 with SSL certificates.
2 4. Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses 1) 2) r) Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Enter choice> To enter the fabric address manually a. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch name or IP address is required for each fabric. b.
2 To read the fabric addresses from a file a. Type 2 and press Enter. The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. b. Type the path and file name of the file that contains the fabric addresses and press Enter. Enter the file-name of the Fabric Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1.
2 6. The utility prompts for which fabrics to retrieve CSRs from. Type a to retrieve CSRs from all discovered fabrics; or, as shown in the example, type 1 to retrieve CSRs only from the fabric identified earlier; then press Enter. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 9. Select n to input different fabric addresses; or, as shown in the example, select y to continue with the current fabrics. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 Distributing Digital Certificates to the Switches You can use the PKICert utility to distribute digital certificates to the switches in the fabric. The utility ensures that each digital certificate is installed on the corresponding switch. If you run the utility without any task argument, it defaults to interactive mode, in which it prompts for the required input. Note If this procedure is interrupted by a switch reboot, the certificate is not loaded and the procedure must be repeated.
2 4. Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses 1) 2) r) Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Type choice> To enter the fabric address manually a. Type 1 and press Enter. The utility prompts for the IP address or switch name of a switch in the fabric. Only one switch name or IP address is required for each fabric. b.
2 To read the fabric addresses from a file a. Type 2 and press Enter. The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. b. Type the path and file name of the file that contains the fabric addresses and press Enter. Enter the file-name of the Fabric Address file. File Name ===> \\server\Working\FabricAddresses.txt Connecting to Fabric(s) ... Login to fabric 1.
2 7. The new certificates are loaded onto the switches and the success or fail of each certificate is displayed. Press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Load Certificates onto 1 fabric(s) 1. 2. 3. 4. 5. 6. 7.
2 Creating PKI Certificate Reports Reports for PKI certification provide information about the number of licenses and switches enabled on your secured fabric. The reports can also be used to audit the fabric. To create a PKI report 1. Type 3: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 4. Type the username and password; then press Enter to continue. Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Username: root Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Press Enter to continue > The utility prompts for information about the report file to be created. 5. Enter the requested information: a. Type the path and file name for the report file to be created.
2 PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Reporting on Licensed Products of these Fabrics: Fabric -----1> World Wide Name ----------------------10:00:00:60:69:50:0d:9f # Switches ---------2. 2 . Principal ----------sec_edge_2 Wrote 545 bytes of Lic Prod info to file: “SFOS_FAB.xml” Success compiling and writing license report. Press enter to continue. 7. Press Enter. The Functions menu is displayed. 8. Type q to quit the utility; then type y and press Enter to verify that you want to quit.
2 Accessing PKI Certificate Help The purpose of PKI help is to obtain command line information about PKICert and obtain advice on advanced options for advanced users. To access PKI help 1. Select option 4 (as shown in the following example) and follow the screen prompts: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.
2 Data-file: -d Path/file-name of input or output file * If the task is “Get-CSRs” or “License Rpt”, the file is an output file created and written to with CSR or License report data. * If the task is “Install Certificates”, dat is read from it. Address-file: -a addr-file “addr-file” is the path/file-name of optional input file containing IP addresses or aliases of fabrics to which sessions should be established.
2 Configuring Switch-to-Switch Authentication By default, Secure Fabric OS on Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used when both switches support it. Authentication automatically defaults to SLAP when a switch does not support FCAP.
2 Selecting Authentication Protocols Use the authUtil command to: • • • Display the current authentication parameters Select the authentication protocol used between switches Select the Diffie-Hellman (DH) group for a switch Authentication is performed only when secure mode is enabled, but you can run the authUtil command either while secure mode is enabled or not. Run the command on the switch you want to view or change.
2 Managing Shared Secrets When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a pair of shared secrets—one for each end of the link.
2 To set shared secrets 1. Log in to the switch as admin 2. On a switch running Fabric OS v4.x or v5.x, type secAuthSecret --set; on a switch running Fabric OS v3.x, type secAuthSecret "--set". The command enters interactive mode. The command returns a description of itself and needed input; then it loops through a sequence of switch specification, peer secret entry, and local secret entry. To exit the loop, press Enter for the switch name; then type y.
2 Preparing SilkWorm 24000 for Secure Fabric OS The two logical switches in a SilkWorm 24000 (configured as two domains) director require a slightly different procedure from other Fabric OS switches. This procedure applies whether the director is shipped with or upgraded to Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0. Caution Placing the two switches from the same director in separate fabrics is not supported if secure mode is enabled on one or both switches.
2 5. If the logical switches are in separate fabrics, synchronize the fabrics by connecting them to a common external network time protocol (NTP) server. Note If the fabric contains any switches running Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0 the server must support a full NTP client. For switches running Fabric OS v3.2.0, the server can be SNTP or NTP. a. Open a telnet or SSH session to either of the logical switches. b. Type tsClockServer “IP address of NTP server”. c.
2 Installing a Supported CLI Client on a Workstation Standard telnet sessions work only until secure mode is enabled. The following telnet clients are supported after secure mode has been enabled: • sectelnet sectelnet is a secure form of telnet that is available for switches running Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0. For instructions on installing the sectelnet client, see the following procedures.
Chapter Enabling Secure Fabric OS and Creating Policies 3 Secure Fabric OS policies make it possible to customize access to the fabric. The FCS policy is the only required policy; all other policies are optional.
3 Default Fabric and Switch Accessibility Following is the default fabric and switch access when secure mode is enabled but no additional Secure Fabric OS policies have been created: • • Switches: - Only the primary FCS switch can be used to make Secure Fabric OS changes. - All switches in the fabric can be accessed through a serial port. Any host can access the fabric by using SNMP. Any host can access any switch in the fabric by using the CLI (such as by sectelnet or SSH).
3 The secModeEnable command performs the following actions: • • • • Creates and activates the FCS policy. Distributes the policy set (initially consisting of only the FCS policy) to all switches in the fabric. Activates and distributes the local zoning configurations. Fastboots any switches needing a reboot to bring the fabric up in secure mode. (Switches running Fabric OS v3.2.x, v4.4.x, v5.0.1, v5.1.0, and v5.2.0 are not rebooted when secure mode is enabled.
3 The following restrictions apply when secure mode is enabled: • Standard telnet cannot be used after secure mode is enabled; however, sectelnet can be used as soon as a digital certificate is installed on the switch. SSH can be used at any time; however, telnet sessions opened prior to issuing secModeEnable remain open if secure mode is enabled using the option to preserve passwords.
3 2. Ensure that any zoning configuration downloads have completed on all switches in the fabric. For information specific to zoning, see the Advanced Zoning User’s Guide for Fabric OS v2.6.x and v3.2.x, the Fabric OS Procedures Guide for Fabric OS v4.4.x, or the Fabric OS Administrator’s Guide for Fabric OS v5.0.1, v5.1.0, or v5.2.0. 3. Open a sectelnet or SSH connection to the switch that will be the primary FCS switch. The login prompt is displayed.
3 To enable secure mode using --quickmode:: switch:admin> secmodeenable --quickmode Your use of the certificate-based security features of the software installed on this equipment is subject to the End User License Agreement provided with the equipment and the Certification Practices Statement, which you may review at http://www.switchkeyactivation.com/cps. By using these security features, you are consenting to be bound by the terms of these documents.
3 7. Skip this step if you used the --quickmode or --currentpwd options; otherwise, type the following passwords at the prompts, using passwords that are different from the default values and contain between 8 and 40 alphanumeric characters: • • • • • Root password for the FCS switch Factory password for the FCS switch Admin password for the FCS switch User password for the fabric Admin password for the non-FCS switches Note The root and factory accounts are disabled on the non-FCS switches.
3 Modifying the FCS Policy Only one FCS policy can exist, and it cannot be empty or deleted if secure mode is enabled. The FCS policy is named FCS_POLICY. Changes made to the FCS policy are saved to permanent memory only after the changes have been saved or activated; they can be aborted later if desired (see “Managing Secure Fabric OS Policies” on page 3-25).
3 Changing the Position of a Switch Within the FCS Policy Use the secPolicyFCSMove command to change the order in which switches are listed in the FCS policy. The list order determines which backup FCS switch becomes the primary FCS switch if the current primary FCS switch fails. To modify the order of FCS switches: 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyShow “Defined”, “FCS_POLICY”.
3 Failing Over the Primary FCS Switch The secFCSFailover command is used to fail over the role of the primary FCS switch to the backup FCS switch from which the command is entered. This can be used to recover from events such as a lost Ethernet connection to the primary FCS switch. In addition to failing over the role of the primary FCS switch, this command moves the new primary FCS switch to the top of the list in the FCS policy.
3 For example, type secFCSFailover from the backup FCS switch “fcsswitchc” and then type secPolicyShow: fcsswitchc:admin> secfcsfailover This switch is about to become the primary FCS switch. All transactions of the current Primary FCS switch will be aborted. ARE YOU SURE (yes, y, no, n): [no] y WARNING!!! The FCS policy of Active and Defined Policy sets have been changed. Review them before you issue secpolicyactivate again.
3 Specify policy members by IP address, device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 3-2.
3 The individual MAC policies and how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they are created. Note An empty MAC policy blocks all access through that management channel. When creating policies, ensure that all desired members are added to each policy. Providing fabric access to proxy servers is strongly discouraged.
3 Table 3-3 Read and Write Behaviors of SNMP Policies (Continued) RSNMP Policy WSNMP Policy Read Result Write Result Empty Host B in policy Only B can read Only B can write Host A in policy Nonexistent This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created. Host A in policy Empty Only A can read No host can write Host A in policy Host B in policy A and B can read Only B can write To create an SNMP policy 1.
3 Note Static host IP addresses are required to implement the Telnet policy effectively. Do not use DHCP for hosts that are in the TELNET_POLICY, because as soon as the IP addresses change, the hosts will no longer be able to access the fabric. Restricting output (such as placing a session on “hold” by use of a command or keyboard shortcut) is not recommended. This policy pertains to sectelnet and SSH. It does not pertain to telnet access, because telnet is not available in secure mode.
3 Table 3-5 displays the possible HTTP policy states. Table 3-5 HTTP Policy States Policy State Characteristics No policy All hosts can establish an HTTP/HTTPS connection to any switch in the fabric. Policy with no entries No host can establish an HTTP/HTTPS connection to any switch in the fabric. Note: An empty policy causes the message “The page cannot be displayed” to display when HTTP/HTTPS access is attempted.
3 API Policy The API policy can be used to specify which workstations can use API to access the fabric and which ones can write to the primary FCS switch. The policy is named API_POLICY and contains a list of the IP addresses that are allowed to establish an API connection to switches in the fabric. Table 3-6 displays the possible API policy states. Table 3-6 API Policy States Policy State Characteristics No policy All workstations can establish an API connection to any switch in the fabric.
3 Note Only Fabric OS v2.6.2 supports the SES policy. Table 3-7 displays the possible SES policy states. Table 3-7 SES Policy States Policy State Characteristics No policy All device ports can access SES. Policy with no entries No device port can access SES. Policy with entries The specified devices can access SES. To create an SES policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “SES_POLICY”, “member;...;member”.
3 To create a Management Server policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “MS_POLICY”, “member;...;member”. member is a device WWN. 3. To save or activate the new policy, enter either secPolicySave or secPolicyActivate. If neither of these commands is entered, the changes are lost when the session is logged out.
3 Front Panel Policy The Front Panel policy can be used to restrict which switches can be accessed through the front panel. This policy only applies to SilkWorm 2800 switches, since no other switches contain front panels. The policy is named FRONTPANEL_POLICY and contains a list of switch WWNs, domain IDs, or switch names for which front panel access is enabled. Table 3-10 displays the possible Front Panel policy states.
3 Table 3-11 Options Policy States Policy State Characteristics No policy Node WWNs can be used for WWN-based zoning. Policy with no entries Node WWNs can be used for WWN-based zoning. Policy with entries Node WWNs cannot be used for WWN-based zoning. To create an Options policy: 1. Log in to the primary FCS switch as admin from a sectelnet or SSH session. 2. Type secPolicyCreate “OPTIONS_POLICY”, “NoNodeWWNZoning”.
3 DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number. To specify an allowed connection, enter the device port WWN, a semicolon, and the switch port identification.
3 To create a DCC policy 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secPolicyCreate “DCC_POLICY_nnn”, “member;...;member”. DCC_POLICY_nnn is the name of the DCC policy to be created; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies. member contains device or switch port information: deviceportWWN;switch(port): • • deviceportWWN is the WWN of the device port.
3 To create a DCC policy “DCC_POLICY_example” that includes devices 44:55:66:77:22:33:44:dd and 33:44:55:66:77:11:22:cc, ports 1 through 4 of switch domain 4, and all devices currently connected to ports 1 through 4 of switch domain 4: primaryfcs:admin> secpolicycreate “DCC_POLICY_example”, “44:55:66:77:22:33:44:dd;33:44:55:66:77:11:22:cc;4[1-4]” DCC_POLICY_xxx has been created Creating an SCC Policy Note Fabric OS v5.2.
3 Table 3-13 SCC Policy States Policy State SCC Policy Enforcement No policy specified All switches may join the fabric. Policy specified, but with no members The SCC policy includes all FCS switches. All non-FCS switches are excluded. Only FCS switches may join the fabric. Policy specified, with members The SCC policy contains all FCS switches and any switches specified in the member list. Any non-FCS switches not explicitly specified are excluded.
3 • “Activating Changes to Secure Fabric OS Policies” on page 3-27 Simultaneously save and implement all the policy changes made since the last time changes were activated. The activated policies are known as the active policy set. • “Adding a Member to an Existing Policy” on page 3-27 Add one or more members to a policy. The aspect of the fabric covered by each policy is closed to access by all devices/switches that are not listed in that policy.
3 Activating Changes to Secure Fabric OS Policies Implement changes to the Secure Fabric OS policies using the secPolicyActivate command. This saves the changes to the active policy set and activates all policy changes since the last time the command was issued. You cannot activate policies on an individual basis; all changes to the entire policy set are activated by the command.
3 To add two devices to the DCC policy, and to attach domain 3 ports 1 and 3 (WWNs of devices are 11:22:33:44:55:66:77:aa and 11:22:33:44:55:66:77:bb): primaryfcs:admin> secpolicyadd "DCC_POLICY_abc", "11:22:33:44:55:66:77:aa;11:22:33:44:55:66:77:bb;3(1,3)" Removing a Member from a Policy If all the members are removed from a policy, that policy becomes closed to all access. The last member cannot be removed from the FCS_POLICY, because a primary FCS switch must be designated.
3 Aborting All Uncommitted Changes You can use the secPolicyAbort command to abort all Secure Fabric OS policy changes that have not yet been saved. This function can only be performed from the primary FCS switch. To abort all unsaved changes 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secPolicyAbort command: primaryfcs:admin> secpolicyabort Unsaved data has been aborted.
3 3-30 Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01
Chapter Managing Secure Fabric OS 4 Secure Fabric OS v2.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 can be managed through Fabric Manager and sectelnet. In addition, SSH (Secure Shell) is supported for Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0. When secure mode is enabled for a fabric, all Secure Fabric OS administrative operations, all zoning commands, and some management server commands must be executed on the primary FCS switch.
4 Displaying General Secure Fabric OS Information You can use the secFabricShow command to display general Secure Fabric OS-related information about a fabric. To display general Secure Fabric OS-related information 1. Open a sectelnet or SSH session to the primary FCS switch and log in as admin. 2. Type the secFabricShow command. The command displays the switches in the fabric and their status (Ready, Error, Busy, or NoResp, for no response from the switch).
4 If you do not specify any operands, the command displays all policies in both the active and defined policy sets. For example, to display all policies in both active and defined policy sets: primaryfcs:admin> secpolicydump ____________________________________________________ DEFINED POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.
4 For example, to display all the policies in the defined policy set: primaryfcs:admin> secpolicyshow "defined" ____________________________________________________ DEFINED POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.0 192.155.53.1 192.155.54.2 192.155.55.3 192.155.56.
4 Displaying and Resetting Secure Fabric OS Statistics Secure Fabric OS provides several statistics regarding attempted policy violations. This includes events such as the following: • A DCC policy exists that defines which devices are authorized to access which switch (port) combinations, and a device that is not listed in the policy tries to access one of the defined switch (port) combinations. • An attempt is made to log in to an account with an incorrect password.
4 Table 4-2 Secure Fabric OS Statistics (Continued) Statistic Definition INVALID_CERT (invalid certificates) A received certificate is not properly signed by the root CA of the receiving switch. INVALID_SIGN (invalid signatures) A received packet has a bad signature. INVALID_TS (invalid timestamps) A received packet has a time stamp that differs from the time of the receiving switch by more than the maximum allowed difference. LOGIN The number of invalid login attempts.
4 To display Secure Fabric OS statistics 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type secStatsShow “name”, “list”. name is the name of a Secure Fabric OS statistic or the policy that relates to the statistic. The valid statistic names are listed in Table 4-2. Enter an asterisk (*) to indicate all statistics. list is a list of the domain IDs for which to display the statistics. Enter an asterisk (*) to indicate all switches in the fabric.
4 Managing Passwords This section provides the following information: • • “Modifying Passwords in Secure Mode” on page 4-10 “Using Temporary Passwords” on page 4-11 When secure mode is enabled, the following conditions apply: • • Only enter the passwd command on the primary FCS switch. • The admin account (or role) remains available from all switches, but two passwords are implemented: one for all FCS switches and one for all non-FCS switches.
4 Table 4-3 Login Account Behavior with Secure Mode Disabled and Enabled (Continued) Account Role Secure Mode Disabled Secure Mode Enabled admin Available on all switches. Can use to modify admin and user passwords. Password is specific to each switch; can modify using the passwd command. Available on all switches. Can create temporary passwords. Two passwords: • One for all FCS switches; can modify using passwd command on the primary FCS switch.
4 Modifying Passwords in Secure Mode Use the passwd command to modify the fabric-wide user password and the passwords for the FCS switches. Use the secNonFCSPasswd to modify the admin password for non-FCS switches. Note If the password is changed for a login account, all open sessions using that account are terminated, including the session from which the passwd command was executed, if applicable.
4 3. Type the new non-FCS admin password at the prompt. The password can be anywhere from 8 to 40 alphanumeric characters in length. This password becomes the admin password for all non-FCS switches in the fabric. 4. Reenter the new non-FCS admin password at the prompt. primaryfcs:admin> secnonfcspasswd Non FCS switch password: Re-enter new password: Committing configuration...done. The password is distributed to all switches in the fabric and saved in the Secure Fabric OS database.
4 4. Reenter the password exactly as entered the first time. For example, to create a temporary password for the admin account on a switch that has a domain ID of 2: primaryfcs:admin> sectemppasswdset 2, ”admin” Set remote switch admin password: swimming Re-enter remote switch admin password: swimming Committing configuration........done Password successfully set for domain 2 for admin. Removing a Temporary Password from a Switch Use the secTempPasswdReset command to remove the temporary password.
4 To reset the time stamp of a fabric to 0 1. From a sectelnet or SSH session, log in to the primary FCS switch as admin. 2. Type the secVersionReset command. If the fabric contains no FCS switch, you can enter the secVersionReset command on any switch. Adding Switches and Merging Fabrics with Secure Mode Enabled To merge fabrics, both fabrics must be in secure mode and must have an identical FCS policies.
4 Table 4-4 indicates the results of moving switches in and out of fabrics with secure mode enabled or disabled. Table 4-4 Moving Switches Between Fabrics Initial State of Switch If set up as a standalone switch: If moved into a fabric that has Secure Mode enabled and a functioning primary FCS switch: If moved into a fabric that has Secure Mode enabled but no FCS switches are available: If moved into a nonsecure fabric: Primary FCS switch in the FCS policy stored on switch, with secure mode enabled.
4 To merge two or more fabrics that have Secure Fabric OS implemented 1. As a precaution, back up the configuration of each fabric to be merged by entering the configUpload command and completing the prompts. This also backs up the policies if Secure Fabric OS was already in use on the switch (such as on a 2000-series switch running v2.6.x). 2. Ensure that all switches to be merged are running Fabric OS v2.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, or. a.
4 7. Install a supported CLI client on the computer workstations that you will be using to manage the merged fabric. Supported CLI clients include sectelnet and SSH and are discussed in “Installing a Supported CLI Client on a Workstation” on page 2-28. 8. Enable secure mode on all switches to be merged by entering the secModeEnable command on the primary FCS switches of any fabrics that do not already have secure mode enabled.
4 Preventing a LUN Connection It might be necessary to prevent someone from connecting a host and mounting a logical unit number (LUN) connection to your secure fabric. Besides hardware-enforced zoning, you need to create options and DCC policies on each switch in the secure fabric after configuring it in all your hosts and storage. This locks down anything that is connected to the secure fabric. If someone subsequently plugs in a rogue host, that port becomes disabled.
4 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Cannot execute commands from any switch in the fabric. All FCS switches have failed but secure mode is still enabled, preventing access to fabric. Type the secModeEnable command from the switch that you want to become the new primary FCS switch, and specify the FCS switches. Cannot access some or The MAC policies are all switches in the fabric. restricting access.
4 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Cannot execute commands from any switch in the fabric. All FCS switches have failed but secure mode is still enabled, preventing access to fabric. Type the secModeEnable command from the switch that you want to become the new primary FCS switch, and specify the FCS switches. Cannot access some or The MAC policies are all switches in the fabric. restricting access.
4 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions A policy that has been created is not listed by the secPolicyShow command. The new policy was not saved or activated. Save or activate the policy changes by entering the secPolicySave or secPolicyActivate command. Incorrect policy name used. Verify that the correct policy name was used. Policy names must be entered in all uppercase characters.
4 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes One or more switches is segmented from the fabric. SCC_POLICY is excluding Use the secPolicyAdd command on the primary FCS switch to add the segmented switches. the switches to the SCC_POLICY. Note: For instructions on rejoining fabrics, refer to the instructions in “Adding Switches and Merging Fabrics with Secure Mode Enabled” on page 4-13. Management server services on the segmented switches are inconsistent with rest of fabric.
4 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions When the SCC policy is created after a fabric segmentation, it automatically includes the segmented FCS switches. The segmented FCS switches are still listed in the FCS policy. Modify FCS policy to remove segmented FCS switches; then, modify or create the SCC policy as required. Passwords that should be consistent across the fabric are not consistent.
Appendix Removing Secure Fabric OS Capability A You cannot remove Secure Fabric OS capability from a fabric by disabling secure mode and deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure Fabric OS capability is not recommended unless absolutely required. If at all possible, consider disabling only secure mode and leaving the Secure Fabric OS feature available so that secure mode can be reenabled if desired.
A Disabling Secure Mode Secure mode is enabled and disabled on a fabric-wide basis and can be enabled and disabled as often as desired. However, all Secure Fabric OS policies, including the FCS policy, are deleted each time secure mode is disabled and must be re-created the next time it is enabled. The policies can be backed up using the configUpload and configDownload commands. For more information about these commands, refer to the Fabric OS Command Reference.
A Deactivating the Secure Fabric OS License on Each Switch Deactivating the Secure Fabric OS license is not required to disable Secure Fabric OS functionality. Note If the user installs and activates a feature license and then removes the license, the feature is not disabled until the next time system is rebooted or a switch enable or disable is performed. To deactivate the software license 1. Open a CLI connection (serial or telnet) to the switch. 2.
A A-4 Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01
Appendix Secure Fabric OS Commands and Secure Mode Restrictions B Secure Fabric OS commands, zoning commands, and some management server commands must be entered through the primary FCS switch. This appendix includes the following information: • • “Secure Fabric OS Commands,” next “Command Restrictions in Secure Mode” on page B-6 For more detailed information about commands, see the Fabric OS Command Reference.
B Table B-1 Secure Fabric OS Commands Command Role Description Secure Mode Which or NonSwitches Secure Mode? in Secure Mode? authUtil admin / fabricAdmin Displays current authentication parameters and lets you set the protocol used to authenticate switches. Both pkiCreate admin Re-creates the PKI objects on the switch. See “Creating PKI Objects” on page 2-5. Nonsecure mode n/a pkiRemove admin Removes the PKI objects from the switch.
B Table B-1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode Which or NonSwitches Secure Mode? in Secure Mode? secModeShow admin / fabricAdmin Displays current mode of Secure Fabric OS. See “Displaying Status of Secure Mode” on page 4-4. Both Any secNonFCSPasswd admin / fabricAdmin Sets non-FCS admin account password. See “Modifying the Non-FCS Switch Admin Password” on page 4-10.
B Table B-1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode Which or NonSwitches Secure Mode? in Secure Mode? secStatsReset admin / fabricAdmin Resets Secure Fabric OS statistics to 0. See “Resetting Secure Fabric OS Statistics” on page 4-7. Both Any secStatsShow admin / fabricAdmin Displays Secure Fabric OS statistics. See “Displaying Secure Fabric OS Statistics” on page 4-6. Both Any secTempPasswdRese t admin / fabricAdmin Removes temporary passwords.
B Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01 B-5
B Command Restrictions in Secure Mode This section provides information about the restrictions that secure mode places on commands. Any commands not listed here can be executed on any switch, whether or not secure mode is enabled. Zoning Commands All zoning commands must be executed on the primary FCS switch, except for the cfgShow command, which can also be executed on the backup FCS switch.
B Table B-2 Zoning Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch faZoneShow Yes Yes No lsanzoneshow Yes No No zone Yes No No zoneAdd Yes No No zoneCreate Yes No No zoneDelete Yes No No zoneObjectRename Yes No No zoneRemove Yes No No zoneShow Yes No No Miscellaneous Commands Table B-3 lists which miscellaneous commands, including management server and SNMP commands, can be executed on which switches.
B Table B-3 B-8 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch msplClearDB Yes No No msplMgmtActivate Yes No No msplMgmtDeactivate Yes No No mstdDisable Yes Yes Yes mstdDisable “all” Yes No No mstdEnable Yes Yes Yes mstdEnable “all” Yes No No mstdReadConfig Yes Yes Yes passwd Yes No No tsClockServer Yes Yes (read only) Yes (read only) Yes tsClockServer No No user
Index 18, 4-19, 4-20, 4-21, A-2 A aborting a Secure Fabric OS transaction secModeShow 4-4, 4-17, A-3 secNonFCSPasswd 4-9, 4-10, A-3 secPolicyAbort 3-29, A-3 secPolicyActivate 3-9, 3-14, 3-15, 3-29 aborting all uncommitted changes 3-29 accessing PKI certificate help 2-20 activating a license key 2-3 activating a policy 3-27 activating changes to Secure Fabric OS policies 3-27 active policy set 1-5 adding a member to an existing policy 3-27 adding Secure Fabric OS to a fabric 2-1 2-26 adding swit
D H deactivating the Secure Fabric OS license on each switch 5-3 HTTP policy default fabric and switch accessibility 3-15 3-2 1-5 deleting a policy 3-28 defined policy set I digital certificates distributing to the switches loading 2-13 obtaining 2-7 verifying 2-5 disabling secure mode 5-2 2-13 installing a supported CLI client on a computer orkstation 2-28 installing the PKICERT utility 2-7 installing the PKICert utility displaying and resetting Secure Fabric OS statistics 4-5 displaying genera
O obtaining the digital certificate file Options policy, creating 2-7 3-20 policy set active 1-5 defined 1-5 portDisable 2-25 portEnable 2-25 preparing the fabric for removal of Secure Fabric OS policies P 5-1 passwdcfg 4-20 4-20 password 4-5, 4-20, 4-22 password policies 4-8 PKI 1-3 R PKI certificate help accessing 2-20 PKI certificate reports creating 2-17 PKICERT utility 2-7 Recreating PKI Objects if Required passwdcfg --setdefault PKICert Utility, installing pkishow Read Buffer 3-17 rec
sectelnet 1-3 T 2-28 secTempPasswdReset A-4 secTempPasswdSet A-4 secTransAbort A-4 sectelnet, when available telnet 1-3 3-14 Telnet policy telnet, when available 2-28 Secure Fabric OS aborting a transaction 3-29 adding a SilkWorm 24000 2-26 adding to a fabric 2-1 deactivating 5-3 enabling 3-2 statistics 4-5 Secure Fabric OS commands A-1 temporary password creating 4-11 removing 4-12 using 4-11 troubleshooting 4-17 Fibre Channel router Secure Fabric OS policies activating changes 3-27 creating 3-1