McDATA StorageWorks 2/140 - Director Switch Planning Manual page 221
Products in a san environment
Hide thumbs
Also See for StorageWorks 2/140 - Director Switch:
- Manual (508 pages) ,
- Planning manual (322 pages) ,
- Manual (684 pages)
Table of Contents
Advertisement
The fabric element transmits a random value (used only once), an
ID value (incremented at each login), and a shared CHAP secret
(16-byte random value) to the server. The server concatenates the
random value, ID value, and CHAP secret, and calculates a one-
way message digest (also called a hash value). The hash value is
transmitted to the authenticator (fabric element). The fabric
element then builds the same concatenated string and compares
the result with the value received from the server. If the values
match, the connection is authenticated.
• Port DHCHAP authentication - Enhanced security for device
connections and ISLs is provided through Diffie-Hellman
challenge handshake authentication protocol (DHCHAP). A
fabric element uses DHCHAP to authenticate any device (node)
that attempts a node port (N_Port) connection and any director or
switch that attempts an expansion port (E_Port) connection. This
ensures only authorized devices can be added to the fabric.
DHCHAP is an authentication protocol based on transmission of
a one-way hash value (comprised of a sequentially-incremented
ID value and CHAP secret). Because the hash cannot be reversed
to discover the CHAP secret, the protocol provides protection
from discovery through the network.
• CT authentication - Common transport (CT) authentication
authorizes management server access to fabric elements through
the open-system management server (OSMS) interface. The
feature is software-enforced and allows an attached fabric to
authenticate the OSMS management application. A single shared
secret is configured for each fabric-attached director or switch
(because OSMS is a fabric service that assumes all attached fabric
elements are authenticated). The same secret is used by the
management application.
• PCP user database - All authentication users are configured in a
product control point (PCP) user database. The database includes
usernames, passwords, and authorized interfaces for
management server and device access. The database controls
password authentication for EFCM, SANavigator, CLI, and
EFCM Basic Edition management interfaces. The database also
controls CHAP and CT authentication for Fibre Channel ports.
Physical Planning Considerations
Physical Planning Considerations
5
5-17
Hide quick links:
Advertisement
Table of Contents
