Table of Contents
Advertisement
The fabric element transmits a random value (used only once), an
ID value (incremented at each login), and a shared CHAP secret
(16-byte random value) to the server. The server concatenates the
random value, ID value, and CHAP secret, and calculates a one-
way message digest (also called a hash value). The hash value is
transmitted to the authenticator (fabric element). The fabric
element then builds the same concatenated string and compares
the result with the value received from the server. If the values
match, the connection is authenticated.
•
Port DHCHAP authentication - Enhanced security for device
connections and ISLs is provided through Diffie-Hellman
challenge handshake authentication protocol (DHCHAP). A
fabric element uses DHCHAP to authenticate any device (node)
that attempts a node port (N_Port) connection and any director or
switch that attempts an expansion port (E_Port) connection. This
ensures only authorized devices can be added to the fabric.
DHCHAP is an authentication protocol based on transmission of
a one-way hash value (comprised of a sequentially-incremented
ID value and CHAP secret). Because the hash cannot be reversed
to discover the CHAP secret, the protocol provides protection
from discovery through the network.
•
CT authentication - Common transport (CT) authentication
authorizes management server access to fabric elements through
the open-system management server (OSMS) interface. The
feature is software-enforced and allows an attached fabric to
authenticate the OSMS management application. A single shared
secret is configured for each fabric-attached director or switch
(because OSMS is a fabric service that assumes all attached fabric
elements are authenticated). The same secret is used by the
management application.
•
PCP user database - All authentication users are configured in a
product control point (PCP) user database. The database includes
usernames, passwords, and authorized interfaces for
management server and device access. The database controls
password authentication for Enterprise Fabric Connectivity
Manager (EFCM), SANavigator, CLI, and SANpilot management
interfaces. The database also controls CHAP and CT
authentication for Fibre Channel ports.
Physical Planning Considerations
Physical Planning Considerations
5
5-17
Advertisement
Table of Contents
