Secure Sockets Layer Protocol; Browser And Java Support; Ssl Configuration Overview; Ssl Certificate Files - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

Secure Sockets Layer protocol

Secure sockets layer (SSL) protocol provides secure access to a fabric through Web-based management
tools like Web Tools. SSL support is a standard Fabric OS feature.
Switches configured for SSL grant access to management tools through hypertext transfer protocol over SSL
links (which begin with https://) instead of standard links (which begin with http://).
SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is
based on digital certificates obtained from an Internet Certificate Authority (CA) that acts as the trusted key
agent.
Certificates are based on the switch IP address or fully qualified domain name (FQDN), depending on the
issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you may
have to obtain and install a new certificate. Check with the CA to verify that this possibility, and plan these
types of changes accordingly.

Browser and Java support

Fabric OS supports the following Web browsers for SSL connections:
• Internet Explorer 7.0 (Microsoft Windows)
Mozilla Firefox 2.0 (Solaris and Red Hat Linux)
•
In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For
example, Internet Explorer 7.0 and later supports 128-bit encryption by default. You can display the
encryption support (called "cipher strength") using the Internet Explorer Help:About menu option. If you are
running an earlier version of Internet Explorer, you may be able to download an encryption patch from the
Microsoft Web site at http://www.microsoft.com.
You should upgrade to the Java 1.6.0 Plug-in on your management workstation. To find the Java version
that is currently running, open the Java console and look at the first line of the window.
For more details on levels of browser and Java support, see the Web Tools Administrator's Guide.

SSL configuration overview

To configure for SSL, obtain, install, and activate digital certificates for SSL support. Certificates are
required on all switches that are to be accessed through SSL.
Also, you must install a certificate in the Java Plug-in on the management workstation, and you may need
to add a certificate to your Web browser.
Configuring for SSL involves these main steps, which are shown in detail in the next sections.
1. Choose a certificate authority (CA).
2. Generate the following items on each switch:
a. A public and private key by using the secCertUtil genkey command.
b. A certificate signing request (CSR) by using the secCertUtil gencsr command.
3. Store the CSR on a file server by using the secCertUtil export command.
4. Obtain the certificates from the CA.
You can request a certificate from a CA through a Web browser. After you request a certificate, the CA
either sends certificate files by e-mail (public) or gives access to them on a remote host (private).
Typically, the CA provides the certificate files listed in
Table 19

SSL certificate files

Certificate file
name.crt
nameRoot.crt
nameCA.crt
108 Configuring standard security features
Description
The switch certificate.
The root certificate. Typically, this certificate is already installed in the
browser, but if not, you must install it.
The CA certificate. It must be installed in the browser to verify that the
validity of the server certificate or server validation fails.
Table 19.