Configuring The Authentication Policy For Fabric Elements; Dh-Chap Authentication - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

2. Issue the secPolicyAbort command:
switch:admin> secpolicyabort
Unsaved data has been aborted.
All changes since the last time the secPolicySave or secPolicyActivate commands were
entered are aborted.

Configuring the authentication policy for fabric elements

By default, Fabric OS 6.1.0 and later uses DH-CHAP or FCAP protocols for authentication. These protocols
use shared secrets and digital certificates, based on switch WWN and public key infrastructure (PKI)
technology, to authenticate switches. Authentication automatically defaults to FCAP if both switches are
configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have
to be installed.
NOTE: The fabric authentication feature is available in base Fabric OS. No license is required.
You can configure a switch with Fabric OS 5.3.0 or later to use Diffie-Hellman challenge handshake
authentication protocol (DH-CHAP) for device authentication. Use the authUtil command to configure
the authentication parameters used by the switch. When you configure DH-CHAP authentication, you also
must define a pair of shared secrets known to both switches as a secret key pair.
illustrates how the secrets are configured. A secret key pair consists of a local secret and a peer secret. The
local secret uniquely identifies the local switch. The peer secret uniquely identifies the entity to which the
local switch authenticates. Every switch can share a secret key pair with any other switch or host in a
fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. You can use the
command authutil –-set <fcap|dhchap> to set the authentication protocol, which can then be
verified using the command authutil –-show CLI.
NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with
the SLAP protocol that was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, 2.6.x.
Fabric OS 6.1.0 and later switch-to-switch authentication implementation is fully backward compatible with
3.2.0, 4.2.0, 4.4.0, 5.0.0, 5.1.0, 5.2.0, and 5.3.0.
Use the secAuthSecret command to set a shared secret on the switch. When configured, the secret key
pair are used for authentication. Authentication occurs whenever there is a state change for the switch or
port. The state change can be due to a switch reboot, a switch or port disable and enable, or the
activation of a policy.
Key database on switch
Switch A
Figure 4

DH-CHAP authentication

If you use DH-CHAP authentication, a secret key pair must be installed only in connected fabric elements.
However, as connections are changed, new secret key pairs must be installed between newly connected
118 Configuring advanced security features
Local secret A
Peer secret B
Figure 4
Key database on switch
Local secret B
Peer secret A
Switch B
on page 1 18