Dh-Chap Authentication - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 5.3.x administrator guide (5697-0244, november 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Fabric OS 5.3.0 switch-to-switch authentication implementation is fully backward compatible with v3.2,
v4.2, v4.4, v5.0, v5.1, and v5.2.
Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair are used
for authentication. Authentication occurs whenever there is a state change for the switch or port. The state
change can be due to a switch reboot, a switch or port disable and enable, or the activation of a policy.
Key database on switch
Key database on switch
Local secret B
Local secret A
Peer secret A
Peer secret B
Figure 2
DH-CHAP authentication
If you use DH-CHAP authentication, then a secret key pair must be installed only in connected fabric
elements. However, as connections are changed, new secret key pairs must be installed between newly
connected elements. Alternatively, a secret key pair for all possible connections may be initially installed,
enabling links to be arbitrarily changed while still maintaining a valid secret key pair for any new
connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy
is persistent across reboots, which means authentication will be initiated automatically on ports or switches
brought online if the policy is set to activate authentication. The AUTH policy is distributed using the
distribute command. The automatic distribution of the AUTH policy is not supported.
Once the AUTH policy is activated you are not allowed to implement a Secure Fabric OS environment. The
secmodeenable command fails if any of the switches have an active AUTH policy.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The
switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
The AUTH policy is designed to accommodate mixed fabric environments that contain Fabric OS 5.3.0
and pre-5.3.0 switches. The policy states PASSIVE and OFF allow connection from Fabric OS 5.3.0
switches to pre-5.3.0 switches. These policy states do not allow switches to send the authentication
negotiation and therefore continue with the rest of port initialization.
130 Configuring advanced security
- Quick Links:
- Connecting to the Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
