Overview Of Steps - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.1.1 administrator guide (5697-0235, december 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Overview of steps
1.
Optional: Configure RADIUS server
2.
Optional: Configure authentication protocols
3.
For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the
switch for using LDAP authentication.
4.
Block Telnet, HTTP, and RPC
5.
Disable BootProm access
6.
Configure the switch for signed firmware
7.
Disable root access
8.
Enable FIPS
To enable FIPS mode:
1.
Log in to the switch using an account assigned the admin or securityAdmin role.
2.
Optional: Select the appropriate method based on your needs:
• If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication
protocol, issuing the aaaConfig
• If the switch is set for LDAP, see the instructions in
3.
Optional: Set the authentication protocols.
a. Issue the following command to set the hash type for MD5 which is used in authentication protocols
DHCHAP and FCAP:
authutil --set -h sha1
b. Set the DH group to 1 or 2 or 3 or 4, by issuing the command authUtil --set -g <n>, where
the DH group is represented by <n>.
4.
Install the LDAP CA certificate on the switch and Microsoft Active Directory server. See the instructions
"LDAP certificates for FIPS
5.
Block Telnet, HTTP, and RPC by issuing the ipfilter policy command.
You will need to create an IPFilter policy for each protocol.
a. Create an IP filter rule for each protocol, see
b. Add a rule to the IP filter policy. You can use the following modifications to the rule:
ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp
<dest_port> -proto <protocol> -act <deny>
where:
•
-sip
•
-dp
•
-proto
c. Activate the IP filter policy, see
d. Save the IP filter policy, see
Example:
ipfilter --createrule http_block_v4 --type ipv4
ipfilter --addrule http_block_v4 -rule 2 -sip any -dp 80 -proto tcp -act deny
ipfilter --activate http_block_v4
ipfilter --save http_block_v4
Issue the following command to block access to the boot PROM:
6.
fipscfg –-disable bootprom
Block boot PROM access before disabling root account.
7.
Enable signed firmware by issuing the configure command and responding to the prompts as
follows:
System services
cfgload attributes
142 Configuring advanced security features
--
mode" on page 140.
option can be given as any
option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898 respectively
option should be set to tcp
"Activating an IP Filter
"Saving an IP Filter
change or aaaConfig
"To set up LDAP for FIPS
"Creating an IP Filter
policy" on page 125.
policy" on page 125.
No
Yes
remove command.
--
mode:" on page 139.
policy" on page 124.
Advertisement
Table of Contents
