Page 1 Secure Fabric OS Administrator’s Guide Supporting Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, 5.2.0 Publication Number: 53-1000244-01 Publication Date: 09/29/2006...
Page 2 Copyright © 2003-2006 Brocade Communications Systems, Incorporated. ALL RIGHTS RESERVED. Brocade, the Brocade B weave logo, Fabric OS, File Lifecycle Manager, MyView, Secure Fabric OS, SilkWorm, and StorageX are registered trademarks and Tapestry is a trademark of Brocade Communications Systems, Inc., in the United States and/or in other countries.
Page 3 Brocade Communications Systems, Incorporated Corporate Headquarters Asia-Pacific Headquarters Brocade Communications Systems, Inc. Brocade Communications Singapore Pte. Ltd. 1745 Technology Drive 9 Raffles Place San Jose, CA 95110 #59-02 Republic Plaza 1 Tel: 1-408-333-8000 Singapore 048619 Fax: 1-408-333-8101 Tel: +65-6538-4700 Email: info@brocade.com Fax: +65-6538-0302 Email: apac-info@brocade.com European and Latin American Headquarters...
Page 4: Secure Fabric Os Administrator's Guide
Document History The following table lists all versions of the Secure Fabric OS Administrator’s Guide. Document Title Publication Summary of Changes Publication Number Date Secure Fabric OS User’s 53-0000195-02 First release. January 2001 Guide v2.6 Secure Fabric OS User’s 53-0000526-02 Examples, information about new April 2003 Guide v3.1.0/4.1.0...
Page 5: Table Of Contents
Contents About This Document How This Document Is Organized ....... . . Supported Hardware and Software .
Page 6 Verifying the Digital Certificate ........Displaying the Digital Certificate Status ......Creating PKI Objects .
Page 7 Chapter 4 Managing Secure Fabric OS Viewing Secure Fabric OS Information ......Displaying General Secure Fabric OS Information .
Page 8 viii Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01...
Page 9: How This Document Is Organized
About This Document This document is a procedural guide written to help SAN administrators set up and manage a Brocade Secure Fabric OS SAN. This document is specific to Brocade Secure Fabric OS v5.2.0 and all switches running Fabric OS versions v3.2.x, v4.4.x, v5.0.l, v5.1.0, or v5.2.0. “About This Document”...
Page 10: Supported Hardware And Software
Supported Hardware and Software In those instances in which procedures or parts of procedures documented here apply to some switches but not to others, this guide identifies exactly which switches are supported and which are not. Although many different software and hardware configurations are tested and supported by Brocade Communications Systems, Inc.
Page 11: Document Conventions
Document Conventions This section describes text formatting conventions and important notices formats. Text Formatting The narrative-text formatting conventions that are used in this document are as follows: bold text Identifies command names Identifies the names of user-manipulated GUI elements Identifies keywords and operands Identifies text to enter at the GUI or CLI italic text Provides emphasis...
Page 12: Key Terms
Key Terms For definitions specific to Brocade and Fibre Channel, see the Brocade Glossary. For definitions of SAN-specific terms, visit the Storage Networking Industry Association online dictionary at http://www.snia.org/education/dictionary. Additional Information This section lists additional Brocade and industry-specific documentation that you might find helpful. Brocade Resources The following related documentation is provided on the Brocade Documentation CD-ROM and on the Brocade Web site, through Brocade Connect.
Page 13 SilkWorm 48000 • SilkWorm 48000 Hardware Reference Manual • SilkWorm 48000 QuickStart Guide • FR4-18i Hardware Reference Manual • FC4-16IP Hardware Reference Manual SilkWorm 24000 • SilkWorm 24000 Hardware Reference Manual • SilkWorm 24000 QuickStart Guide SilkWorm 24000/48000 • Port Blade and Filler Panel Replacement Procedure •...
Page 14: Other Industry Resources
• SilkWorm 3900 Motherboard Assembly Replacement Procedure • SilkWorm 3900 Power Supply Replacement Procedure SilkWorm 3250/3850 • SilkWorm 3250/3850 Hardware Reference Manual (for v4.x software) • SilkWorm 3250/3850 QuickStart Guide (for v4.x software) SilkWorm 200E • SilkWorm 200E Hardware Reference Manual (for v5.x software) SilkWorm Multiprotocol Router Model AP7420 •...
Page 15: Getting Technical Help
For information about the Fibre Channel industry, visit the Fibre Channel Industry Association Web site: http://www.fibrechannel.org Getting Technical Help Contact your switch support supplier for hardware, firmware, and software support, including product repairs and part ordering. To expedite your call, have the following information available: General Information •...
Page 16: Document Feedback
World Wide Name (WWN) • SilkWorm 200E, 3014, 3016, 3250, 3600, 3850, 3900, 4100, 4900, 7500 switches and SilkWorm 24000, and 48000 directors: Provide the license ID. Use the licenseIdShow command to display the license ID. • SilkWorm Multiprotocol Router Model AP7420: Provide the switch WWN. Use the switchShow command to display the switch WWN.
Page 17: Introducing Secure Fabric Os
Chapter Introducing Secure Fabric OS Brocade Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on a SilkWorm fabric. Secure Fabric OS provides the ability to: • Create policies to customize fabric management access •...
Page 18: Management Channel Security
Management Channel Security Secure Fabric OS can be used to provide policy-based access control of local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, and management server. Access through a channel can be restricted by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and SSH), SNMP, management server, HTTP, and API.
Page 19: Switch-To-Switch Authentication
sectelnet The sectelnet client is a secure form of telnet that encrypts passwords only. It is available from your switch supplier. Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0 include the sectelnet server; the sectelnet client must be installed on the workstation computer. The sectelnet client can be used as soon as a digital certificate is installed on the switch.
Page 20: Using Dh-Chap
Using DH-CHAP Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use Diffie-Hellman with Challenge- Handshake Authentication Protocol (DH-CHAP) shared secrets to provide switch-to-switch authentication and prevent the addition of unauthorized switches to the fabric. (DH-CHAP is not available with Fabric OS v2.6.x.) The default is to use FCAP or SLAP (see “Using PKI”).
Page 21: Fabric Management Policy Set
Because the primary FCS switch distributes the zoning configuration, zoning databases do not merge when new switches join the fabric. Instead, the zoning information on the new switches is overwritten when the primary FCS switch downloads zoning to these switches, if secure mode is enabled on all of them.
Page 22 Secure Fabric OS supports the following policies: • FCS policy—Use to specify the primary FCS and backup FCS switches. This is the only required policy. • Management access control (MAC) policies—Use to restrict management access to switches. The following specific MAC policies are provided: Read and Write SNMP policies.
Page 23: Preparing The Fabric For Secure Fabric Os
Chapter Preparing the Fabric for Secure Fabric OS Secure Fabric OS is supported by Fabric OS v2.6.2, v3.1.0, v4.1.0 and later; it can be added to fabrics that contain any combination of these versions. This manual applies to v5.2.0 only, it is based on the assumption that a compatible version of Fabric OS is running on all switches in the fabric before adding Secure Fabric OS.
Page 24: Verifying Compatible Fabric Os Version
• Remove user-defined Administrative Domains: Secure mode does not support Administrative Domains, therefore remove all user-defined ADs (AD1-254). • Disable Administrative Domains and assign users to default AD. Set Administrative Domains to disabled and assign all users to the default Administrative Domain of their role. For more information about Administrative Domain assignments, see the Fabric OS Administrator’s Guide.
Page 25: Verifying Or Activating Secure Fabric Os And Advanced Zoning Licenses
To identify the current version of Fabric OS: Open a serial or telnet connection to each of the switches in the fabric and log in as admin. Type the version command. For example, entering the version command on a SilkWorm 3900: switch3900:admin>...
Page 26: Verifying The Digital Certificate
If the Secure Fabric OS and Advanced Zoning licenses are already listed, the features are already available and the remaining steps are not required; continue if either license is not listed. Contact the switch supplier to purchase the required license key. After the key is received, type licenseAdd “key”.
Page 27: Creating Pki Objects
The command displays the status of the PKI objects. Note “Root Certificate” is an internal PKI object. “Certificate” is the digital certificate. Displaying PKI objects on Fabric OS v4.x or later: switch:admin> pkishow Passphrase : Exist Private Key : Exist : Exist Certificate : Exist...
Page 28: Removing Pki Objects
Type the pkiShow command. If the switch is a two-domain SilkWorm 24000, enter this command on both logical switches. switch:admin> pkishow Passphrase : Exist Private Key : Exist : Exist Certificate : Empty Root Certificate: Exist The command displays the status of the PKI objects. Repeat for any other switches, as required.
Page 29: Obtaining The Digital Certificate File
Obtaining the Digital Certificate File The switch supplier provides the digital certificates in an XML file that is generated in response to the CSRs. Generally, the digital certificate file is provided by email. To obtain the digital certificate file, contact the switch supplier and provide the following information: •...
Page 30 Using the PKICert Utility to Obtain CSR The PKICert utility makes it possible to retrieve certificate signing requests (CSRs) from all the switches in the fabric and save them into a CSR file in XML format. PKICert also allows the user to create license reports, and it provides online help.
Page 31 Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Enter choice> To enter the fabric address manually Type 1 and press Enter.
Page 32 To read the fabric addresses from a file Type 2 and press Enter. The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. Type the path and file name of the file that contains the fabric addresses and press Enter.
Page 33 The utility prompts for which fabrics to retrieve CSRs from. Type a to retrieve CSRs from all discovered fabrics; or, as shown in the example, type 1 to retrieve CSRs only from the fabric identified earlier; then press Enter. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a Fabric On Which to Operate Fabric World Wide Name...
Page 34 Select n to input different fabric addresses; or, as shown in the example, select y to continue with the current fabrics. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Currently Connected Fabrics Fabric World Wide Name # Switches Principal ------ ----------------------- ---------- ----------- 10:00:00:60:69:11:f8:f9 sec237 ________________________________________________________...
Page 35: Distributing Digital Certificates To The Switches
Distributing Digital Certificates to the Switches You can use the PKICert utility to distribute digital certificates to the switches in the fabric. The utility ensures that each digital certificate is installed on the corresponding switch. If you run the utility without any task argument, it defaults to interactive mode, in which it prompts for the required input.
Page 36 Type the desired method for entering the fabric addresses. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Choose a method for providing fabric addresses Manually enter fabric address Read addresses from a file (name to be given) Return to Main menu Type choice> To enter the fabric address manually Type 1 and press Enter.
Page 37 To read the fabric addresses from a file Type 2 and press Enter. The utility prompts for the path and file name of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. Type the path and file name of the file that contains the fabric addresses and press Enter.
Page 38 The new certificates are loaded onto the switches and the success or fail of each certificate is displayed. Press Enter to continue. PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Load Certificates onto 1 fabric(s) 1. Loaded Certificate on Switch primaryfcsswitch: WWN-10:00:00:60:69:11:fc:52 2. Loaded Certificate on Switch backupfcsswitch: WWN-10:00:00:60:69:11:fc:53 3.
Page 39 Creating PKI Certificate Reports Reports for PKI certification provide information about the number of licenses and switches enabled on your secured fabric. The reports can also be used to audit the fabric. To create a PKI report Type 3: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS Retrieve CSRs from switches &...
Page 40 Type the username and password; then press Enter to continue. Connecting to Fabric(s) ... Login to fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Username: root Password: Logged into fabric 1. principal switch WWN = 10:00:00:60:69:50:0d:9f Press Enter to continue > The utility prompts for information about the report file to be created.
Page 41 PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 Reporting on Licensed Products of these Fabrics: Fabric World Wide Name # Switches Principal ------ ----------------------- ---------- ----------- 1> 10:00:00:60:69:50:0d:9f sec_edge_2 . 2 . Wrote 545 bytes of Lic Prod info to file: “SFOS_FAB.xml” Success compiling and writing license report. Press enter to continue.
Page 42 Accessing PKI Certificate Help The purpose of PKI help is to obtain command line information about PKICert and obtain advice on advanced options for advanced users. To access PKI help Select option 4 (as shown in the following example) and follow the screen prompts: PKI CERTIFICATE INSTALLATION UTILITY pki_v1.0.6 FUNCTIONS Retrieve CSRs from switches &...
Page 43 Data-file: -d Path/file-name of input or output file * If the task is “Get-CSRs” or “License Rpt”, the file is an output file created and written to with CSR or License report data. * If the task is “Install Certificates”, dat is read from it. Address-file: -a addr-file “addr-file”...
Page 44: Configuring Switch-To-Switch Authentication
Configuring Switch-to-Switch Authentication By default, Secure Fabric OS on Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 use SLAP or FCAP protocols for authentication. These protocols use digital certificates, based on switch WWN and PKI technology to authenticate switches. Support for FCAP is provided in Secure Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 and is used when both switches support it.
Page 45: Selecting Authentication Protocols
Selecting Authentication Protocols Use the authUtil command to: • Display the current authentication parameters • Select the authentication protocol used between switches • Select the Diffie-Hellman (DH) group for a switch Authentication is performed only when secure mode is enabled, but you can run the authUtil command either while secure mode is enabled or not.
Page 46: Managing Shared Secrets
Managing Shared Secrets When you configure the switches at both ends of a link to use DH-CHAP for authentication, you must also define a pair of shared secrets—one for each end of the link. Use the secAuthSecret command to: • View the WWN of switches with shared secrets •...
Page 47 To set shared secrets Log in to the switch as admin On a switch running Fabric OS v4.x or v5.x, type secAuthSecret --set; on a switch running Fabric OS v3.x, type secAuthSecret "--set". The command enters interactive mode. The command returns a description of itself and needed input;...
Page 48: Preparing Silkworm 24000 For Secure Fabric Os
Preparing SilkWorm 24000 for Secure Fabric OS The two logical switches in a SilkWorm 24000 (configured as two domains) director require a slightly different procedure from other Fabric OS switches. This procedure applies whether the director is shipped with or upgraded to Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0. Caution Placing the two switches from the same director in separate fabrics is not supported if secure mode is enabled on one or both switches.
Page 49 If the logical switches are in separate fabrics, synchronize the fabrics by connecting them to a common external network time protocol (NTP) server. Note If the fabric contains any switches running Fabric OS v4.4.0, v5.0.1, v5.1.0, or v5.2.0 the server must support a full NTP client. For switches running Fabric OS v3.2.0, the server can be SNTP or NTP.
Page 50: Installing A Supported Cli Client On A Workstation
Installing a Supported CLI Client on a Workstation Standard telnet sessions work only until secure mode is enabled. The following telnet clients are supported after secure mode has been enabled: • sectelnet sectelnet is a secure form of telnet that is available for switches running Fabric OS v3.2.0, v4.4.0, v5.0.1, v5.1.0, or v5.2.0.
Page 51: Prerequisites To Enabling Secure Mode
Chapter Enabling Secure Fabric OS and Creating Policies Secure Fabric OS policies make it possible to customize access to the fabric. The FCS policy is the only required policy; all other policies are optional. This chapter includes the following sections: •...
Page 52: Default Fabric And Switch Accessibility
Default Fabric and Switch Accessibility Following is the default fabric and switch access when secure mode is enabled but no additional Secure Fabric OS policies have been created: • Switches: Only the primary FCS switch can be used to make Secure Fabric OS changes. Any SilkWorm switch can join the fabric, provided it is connected to the fabric, a SilkWorm 2000-series switch or later, and meets the minimum Secure Fabric OS requirements (such as Secure Fabric OS and Advanced Zoning licenses and digital certificates).
Page 53 The secModeEnable command performs the following actions: • Creates and activates the FCS policy. • Distributes the policy set (initially consisting of only the FCS policy) to all switches in the fabric. • Activates and distributes the local zoning configurations. •...
Page 54 The following restrictions apply when secure mode is enabled: • Standard telnet cannot be used after secure mode is enabled; however, sectelnet can be used as soon as a digital certificate is installed on the switch. SSH can be used at any time; however, telnet sessions opened prior to issuing secModeEnable remain open if secure mode is enabled using the option to preserve passwords.
Page 55 Ensure that any zoning configuration downloads have completed on all switches in the fabric. For information specific to zoning, see the Advanced Zoning User’s Guide for Fabric OS v2.6.x and v3.2.x, the Fabric OS Procedures Guide for Fabric OS v4.4.x, or the Fabric OS Administrator’s Guide for Fabric OS v5.0.1, v5.1.0, or v5.2.0.
Page 56 To enable secure mode using --quickmode:: switch:admin> secmodeenable --quickmode Your use of the certificate-based security features of the software installed on this equipment is subject to the End User License Agreement provided with the equipment and the Certification Practices Statement, which you may review at http://www.switchkeyactivation.com/cps.
Page 57 Skip this step if you used the --quickmode or --currentpwd options; otherwise, type the following passwords at the prompts, using passwords that are different from the default values and contain between 8 and 40 alphanumeric characters: • Root password for the FCS switch •...
Page 58: Modifying The Fcs Policy
Modifying the FCS Policy Only one FCS policy can exist, and it cannot be empty or deleted if secure mode is enabled. The FCS policy is named FCS_POLICY. Changes made to the FCS policy are saved to permanent memory only after the changes have been saved or activated;...
Page 59: Changing The Position Of A Switch Within The Fcs Policy
Changing the Position of a Switch Within the FCS Policy Use the secPolicyFCSMove command to change the order in which switches are listed in the FCS policy. The list order determines which backup FCS switch becomes the primary FCS switch if the current primary FCS switch fails.
Page 60: Failing Over The Primary Fcs Switch
Failing Over the Primary FCS Switch The secFCSFailover command is used to fail over the role of the primary FCS switch to the backup FCS switch from which the command is entered. This can be used to recover from events such as a lost Ethernet connection to the primary FCS switch.
Page 61: Creating Secure Fabric Os Policies Other Than The Fcs Policy
For example, type secFCSFailover from the backup FCS switch “fcsswitchc” and then type secPolicyShow: fcsswitchc:admin> secfcsfailover This switch is about to become the primary FCS switch. All transactions of the current Primary FCS switch will be aborted. ARE YOU SURE (yes, y, no, n): [no] y WARNING!!! The FCS policy of Active and Defined Policy sets have been changed.
Page 62: Creating A Mac Policy
Specify policy members by IP address, device port WWN, switch WWN, domain IDs, or switch names, depending on the policy. The valid methods for specifying policy members are listed in Table 3-2. Table 3-2 Valid Methods for Specifying Policy Members Policy Name IP address Device Switch...
Page 63 The individual MAC policies and how to create them are described in the following sections. By default, all MAC access is allowed; no MAC policies exist until they are created. Note An empty MAC policy blocks all access through that management channel. When creating policies, ensure that all desired members are added to each policy.
Page 64 Table 3-3 Read and Write Behaviors of SNMP Policies (Continued) RSNMP Policy WSNMP Policy Read Result Write Result Empty Host B in policy Only B can read Only B can write Host A in policy Nonexistent This combination is not supported. If the WSNMP policy is not defined, the RSNMP policy cannot be created.
Page 65: Http Policy
Note Static host IP addresses are required to implement the Telnet policy effectively. Do not use DHCP for hosts that are in the TELNET_POLICY, because as soon as the IP addresses change, the hosts will no longer be able to access the fabric. Restricting output (such as placing a session on “hold” by use of a command or keyboard shortcut) is not recommended.
Page 66 Table 3-5 displays the possible HTTP policy states. Table 3-5 HTTP Policy States Policy State Characteristics No policy All hosts can establish an HTTP/HTTPS connection to any switch in the fabric. Policy with no entries No host can establish an HTTP/HTTPS connection to any switch in the fabric.
Page 67 API Policy The API policy can be used to specify which workstations can use API to access the fabric and which ones can write to the primary FCS switch. The policy is named API_POLICY and contains a list of the IP addresses that are allowed to establish an API connection to switches in the fabric.
Page 68: Management Server Policy
Note Only Fabric OS v2.6.2 supports the SES policy. Table 3-7 displays the possible SES policy states. Table 3-7 SES Policy States Policy State Characteristics No policy All device ports can access SES. Policy with no entries No device port can access SES. Policy with entries The specified devices can access SES.
Page 69 To create a Management Server policy From a sectelnet or SSH session, log in to the primary FCS switch as admin. Type secPolicyCreate “MS_POLICY”, “member;...;member”. member is a device WWN. To save or activate the new policy, enter either secPolicySave or secPolicyActivate. If neither of these commands is entered, the changes are lost when the session is logged out.
Page 70: Creating An Options Policy
Front Panel Policy The Front Panel policy can be used to restrict which switches can be accessed through the front panel. This policy only applies to SilkWorm 2800 switches, since no other switches contain front panels. The policy is named FRONTPANEL_POLICY and contains a list of switch WWNs, domain IDs, or switch names for which front panel access is enabled.
Page 71: Creating A Dcc Policy
Table 3-11 Options Policy States Policy State Characteristics No policy Node WWNs can be used for WWN-based zoning. Policy with no entries Node WWNs can be used for WWN-based zoning. Policy with entries Node WWNs cannot be used for WWN-based zoning. To create an Options policy: Log in to the primary FCS switch as admin from a sectelnet or SSH session.
Page 72 DCC policies must follow the naming convention “DCC_POLICY_nnn,” where nnn represents a unique string. To save memory and improve performance, one DCC policy per switch or group of switches is recommended. Device ports must be specified by port WWN. Switch ports can be identified by the switch WWN, domain ID, or switch name followed by the port or area number.
Page 73 To create a DCC policy From a sectelnet or SSH session, log in to the primary FCS switch as admin. Type secPolicyCreate “DCC_POLICY_nnn”, “member;...;member”. DCC_POLICY_nnn is the name of the DCC policy to be created; nnn is a string consisting of up to 19 alphanumeric or underscore characters to differentiate it from any other DCC policies.
Page 74: Creating An Scc Policy
To create a DCC policy “DCC_POLICY_example” that includes devices 44:55:66:77:22:33:44:dd and 33:44:55:66:77:11:22:cc, ports 1 through 4 of switch domain 4, and all devices currently connected to ports 1 through 4 of switch domain 4: primaryfcs:admin> secpolicycreate “DCC_POLICY_example”, “44:55:66:77:22:33:44:dd;33:44:55:66:77:11:22:cc;4[1-4]” DCC_POLICY_xxx has been created Creating an SCC Policy Note Fabric OS v5.2.0 supports local SCC policies;...
Page 75: Managing Secure Fabric Os Policies
Table 3-13 SCC Policy States Policy State SCC Policy Enforcement No policy specified All switches may join the fabric. Policy specified, but with The SCC policy includes all FCS switches. All non-FCS switches are no members excluded. Only FCS switches may join the fabric. Policy specified, with The SCC policy contains all FCS switches and any switches specified in members...
Page 76: Saving Changes To Secure Fabric Os Policies
• “Activating Changes to Secure Fabric OS Policies” on page 3-27 Simultaneously save and implement all the policy changes made since the last time changes were activated. The activated policies are known as the active policy set. • “Adding a Member to an Existing Policy” on page 3-27 Add one or more members to a policy.
Page 77: Activating Changes To Secure Fabric Os Policies
Activating Changes to Secure Fabric OS Policies Implement changes to the Secure Fabric OS policies using the secPolicyActivate command. This saves the changes to the active policy set and activates all policy changes since the last time the command was issued.
Page 78: Removing A Member From A Policy
To add two devices to the DCC policy, and to attach domain 3 ports 1 and 3 (WWNs of devices are 11:22:33:44:55:66:77:aa and 11:22:33:44:55:66:77:bb): primaryfcs:admin> secpolicyadd "DCC_POLICY_abc", "11:22:33:44:55:66:77:aa;11:22:33:44:55:66:77:bb;3(1,3)" Removing a Member from a Policy If all the members are removed from a policy, that policy becomes closed to all access. The last member cannot be removed from the FCS_POLICY, because a primary FCS switch must be designated.
Page 79: Aborting All Uncommitted Changes
Aborting All Uncommitted Changes You can use the secPolicyAbort command to abort all Secure Fabric OS policy changes that have not yet been saved. This function can only be performed from the primary FCS switch. To abort all unsaved changes From a sectelnet or SSH session, log in to the primary FCS switch as admin.
Page 80 3-30 Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01...
Page 81: Viewing Secure Fabric Os Information
Chapter Managing Secure Fabric OS Secure Fabric OS v2.6.2, v3.2.0, v4.4.0, v5.0.1, v5.1.0, and v5.2.0 can be managed through Fabric Manager and sectelnet. In addition, SSH (Secure Shell) is supported for Fabric OS v4.4.0, v5.0.1, v5.1.0, and v5.2.0. When secure mode is enabled for a fabric, all Secure Fabric OS administrative operations, all zoning commands, and some management server commands must be executed on the primary FCS switch.
Page 82: Displaying General Secure Fabric Os Information
Displaying General Secure Fabric OS Information You can use the secFabricShow command to display general Secure Fabric OS-related information about a fabric. To display general Secure Fabric OS-related information Open a sectelnet or SSH session to the primary FCS switch and log in as admin. Type the secFabricShow command.
Page 83: Displaying Individual Secure Fabric Os Policies
If you do not specify any operands, the command displays all policies in both the active and defined policy sets. For example, to display all policies in both active and defined policy sets: primaryfcs:admin> secpolicydump ____________________________________________________ DEFINED POLICY SET FCS_POLICY Pos Primary WWN DId swName __________________________________________________ 1 Yes 10:00:00:60:69:30:15:5c 1 primaryfcs...
Page 84: Displaying Status Of Secure Mode
For example, to display all the policies in the defined policy set: primaryfcs:admin> secpolicyshow "defined" ____________________________________________________ DEFINED POLICY SET FCS_POLICY Primary WWN DId swName __________________________________________________ 10:00:00:60:69:30:15:5c 1 primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.155.52.0 192.155.53.1 192.155.54.2 192.155.55.3 192.155.56.4 ____________________________________________________ To display the active version of the FCS policy: primaryfcs:admin>...
Page 85: Displaying And Resetting Secure Fabric Os Statistics
Displaying and Resetting Secure Fabric OS Statistics Secure Fabric OS provides several statistics regarding attempted policy violations. This includes events such as the following: • A DCC policy exists that defines which devices are authorized to access which switch (port) combinations, and a device that is not listed in the policy tries to access one of the defined switch (port) combinations.
Page 86: Displaying Secure Fabric Os Statistics
Table 4-2 Secure Fabric OS Statistics (Continued) Statistic Definition INVALID_CERT A received certificate is not properly signed by the root CA of the (invalid certificates) receiving switch. INVALID_SIGN A received packet has a bad signature. (invalid signatures) INVALID_TS A received packet has a time stamp that differs from the time of the (invalid timestamps) receiving switch by more than the maximum allowed difference.
Page 87: Resetting Secure Fabric Os Statistics
To display Secure Fabric OS statistics From a sectelnet or SSH session, log in to the primary FCS switch as admin. Type secStatsShow “name”, “list”. name is the name of a Secure Fabric OS statistic or the policy that relates to the statistic. The valid statistic names are listed in Table 4-2.
Page 88: Managing Passwords
Managing Passwords This section provides the following information: • “Modifying Passwords in Secure Mode” on page 4-10 • “Using Temporary Passwords” on page 4-11 When secure mode is enabled, the following conditions apply: • Only enter the passwd command on the primary FCS switch. •...
Page 89 Table 4-3 Login Account Behavior with Secure Mode Disabled and Enabled (Continued) Account Role Secure Mode Disabled Secure Mode Enabled admin Available on all switches. Available on all switches. Can create temporary passwords. Can use to modify admin and Password is specific to each user passwords.
Page 90: Modifying Passwords In Secure Mode
Modifying Passwords in Secure Mode Use the passwd command to modify the fabric-wide user password and the passwords for the FCS switches. Use the secNonFCSPasswd to modify the admin password for non-FCS switches. Note If the password is changed for a login account, all open sessions using that account are terminated, including the session from which the passwd command was executed, if applicable.
Page 91: Using Temporary Passwords
Type the new non-FCS admin password at the prompt. The password can be anywhere from 8 to 40 alphanumeric characters in length. This password becomes the admin password for all non-FCS switches in the fabric. Reenter the new non-FCS admin password at the prompt. primaryfcs:admin>...
Page 92: Resetting The Version Number And Time Stamp
Reenter the password exactly as entered the first time. For example, to create a temporary password for the admin account on a switch that has a domain ID of 2: primaryfcs:admin> sectemppasswdset 2, ”admin” Set remote switch admin password: swimming Re-enter remote switch admin password: swimming Committing configuration..done Password successfully set for domain 2 for admin.
Page 93: Adding Switches And Merging Fabrics With Secure Mode Enabled
To reset the time stamp of a fabric to 0 From a sectelnet or SSH session, log in to the primary FCS switch as admin. Type the secVersionReset command. If the fabric contains no FCS switch, you can enter the secVersionReset command on any switch.
Page 94 Table 4-4 indicates the results of moving switches in and out of fabrics with secure mode enabled or disabled. Table 4-4 Moving Switches Between Fabrics Initial State of If set up as a If moved into a If moved into a If moved Switch standalone...
Page 95 To merge two or more fabrics that have Secure Fabric OS implemented As a precaution, back up the configuration of each fabric to be merged by entering the configUpload command and completing the prompts. This also backs up the policies if Secure Fabric OS was already in use on the switch (such as on a 2000-series switch running v2.6.x).
Page 96 Install a supported CLI client on the computer workstations that you will be using to manage the merged fabric. Supported CLI clients include sectelnet and SSH and are discussed in “Installing a Supported CLI Client on a Workstation” on page 2-28. Enable secure mode on all switches to be merged by entering the secModeEnable command on the primary FCS switches of any fabrics that do not already have secure mode enabled.
Page 97: Preventing A Lun Connection
Preventing a LUN Connection It might be necessary to prevent someone from connecting a host and mounting a logical unit number (LUN) connection to your secure fabric. Besides hardware-enforced zoning, you need to create options and DCC policies on each switch in the secure fabric after configuring it in all your hosts and storage. This locks down anything that is connected to the secure fabric.
Page 98 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Cannot execute All FCS switches have Type the secModeEnable command from the switch that you want commands from any failed but secure mode is to become the new primary FCS switch, and specify the FCS switch in the fabric.
Page 99 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions Cannot execute All FCS switches have Type the secModeEnable command from the switch that you want commands from any failed but secure mode is to become the new primary FCS switch, and specify the FCS switch in the fabric.
Page 100 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions A policy that has been The new policy was not Save or activate the policy changes by entering the secPolicySave created is not listed by saved or activated. or secPolicyActivate command. the secPolicyShow Incorrect policy name used.
Page 101 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions One or more switches is SCC_POLICY is excluding Use the secPolicyAdd command on the primary FCS switch to add segmented from the the segmented switches. the switches to the SCC_POLICY. fabric.
Page 102 Table 4-5 Recovery Processes (Continued) Symptom Possible Causes Recommended Actions When the SCC policy is The segmented FCS Modify FCS policy to remove segmented FCS switches; then, created after a fabric switches are still listed in modify or create the SCC policy as required. segmentation, it the FCS policy.
Page 103: Preparing The Fabric For Removal Of Secure Fabric Os Policies
Appendix Removing Secure Fabric OS Capability You cannot remove Secure Fabric OS capability from a fabric by disabling secure mode and deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure Fabric OS capability is not recommended unless absolutely required. If at all possible, consider disabling only secure mode and leaving the Secure Fabric OS feature available so that secure mode can be reenabled if desired.
Page 104: Disabling Secure Mode
Disabling Secure Mode Secure mode is enabled and disabled on a fabric-wide basis and can be enabled and disabled as often as desired. However, all Secure Fabric OS policies, including the FCS policy, are deleted each time secure mode is disabled and must be re-created the next time it is enabled. The policies can be backed up using the configUpload and configDownload commands.
Page 105: Deactivating The Secure Fabric Os License On Each Switch
Deactivating the Secure Fabric OS License on Each Switch Deactivating the Secure Fabric OS license is not required to disable Secure Fabric OS functionality. Note If the user installs and activates a feature license and then removes the license, the feature is not disabled until the next time system is rebooted or a switch enable or disable is performed.
Page 106 Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01...
Page 107: Secure Fabric Os Commands
Appendix Secure Fabric OS Commands and Secure Mode Restrictions Secure Fabric OS commands, zoning commands, and some management server commands must be entered through the primary FCS switch. This appendix includes the following information: • “Secure Fabric OS Commands,” next •...
Page 108 Table B-1 Secure Fabric OS Commands Command Role Description Secure Mode Which or Non- Switches Secure Mode? in Secure Mode? authUtil admin / Displays current authentication parameters and Both fabricAdmin lets you set the protocol used to authenticate switches. pkiCreate admin Re-creates the PKI objects on the switch.
Page 109 Table B-1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode Which or Non- Switches Secure Mode? in Secure Mode? secModeShow admin / Displays current mode of Secure Fabric OS. Both fabricAdmin “Displaying Status of Secure Mode” page 4-4. secNonFCSPasswd admin / Sets non-FCS admin account password.
Page 110 Table B-1 Secure Fabric OS Commands (Continued) Command Role Description Secure Mode Which or Non- Switches Secure Mode? in Secure Mode? secStatsReset admin / Resets Secure Fabric OS statistics to 0. See Both fabricAdmin “Resetting Secure Fabric OS Statistics” page 4-7. secStatsShow admin / Displays Secure Fabric OS statistics.
Page 111 Secure Fabric OS Administrator’s Guide Publication Number: 53-1000244-01...
Page 112: Command Restrictions In Secure Mode
Command Restrictions in Secure Mode This section provides information about the restrictions that secure mode places on commands. Any commands not listed here can be executed on any switch, whether or not secure mode is enabled. Zoning Commands All zoning commands must be executed on the primary FCS switch, except for the cfgShow command, which can also be executed on the backup FCS switch.
Page 113: Miscellaneous Commands
Table B-2 Zoning Commands (Continued) Command Primary FCS Backup FCS Non-FCS Switch Switch Switch faZoneShow lsanzoneshow zone zoneAdd zoneCreate zoneDelete zoneObjectRename zoneRemove zoneShow Miscellaneous Commands Table B-3 lists which miscellaneous commands, including management server and SNMP commands, can be executed on which switches. Commands not listed here (or in the preceding two tables) can be executed on any switch.
Page 114 Table B-3 Miscellaneous Commands (Continued) Command Primary FCS Switch Backup FCS Switch Non-FCS Switch msplClearDB msplMgmtActivate msplMgmtDeactivate mstdDisable mstdDisable “all” mstdEnable mstdEnable “all” mstdReadConfig passwd tsClockServer Yes (read only) Yes (read only) tsClockServer <IP address of network time protocol (NTP) server> userConfig No (read only) No (read only)
Page 115 Index 18, 4-19, 4-20, 4-21, A-2 4-4, 4-17, A-3 secModeShow 4-9, 4-10, A-3 secNonFCSPasswd 3-29 aborting a Secure Fabric OS transaction 3-29, A-3 secPolicyAbort 3-29 aborting all uncommitted changes 3-9, 3-14, 3-15, 3-16, 3-17, 3- secPolicyActivate 2-20 accessing PKI certificate help 18, 3-19, 3-20, 3-21, 3-23, 3-25, 3-26, 3-27, 3-28, 3-29, A-3 activating a license key...
Page 116 3-15 deactivating the Secure Fabric OS license on each switch HTTP policy default fabric and switch accessibility defined policy set 3-28 deleting a policy digital certificates installing a supported CLI client on a computer 2-13 distributing to the switches 2-28 orkstation 2-13 loading...
Page 117 policy set active defined obtaining the digital certificate file 2-25 portDisable 3-20 Options policy, creating 2-25 portEnable preparing the fabric for removal of Secure Fabric OS policies 4-20 passwdcfg 4-20 passwdcfg --setdefault 4-5, 4-20, 4-22 password 3-17 Read Buffer password policies 4-17 recovery Recreating PKI Objects if Required...
Page 118 sectelnet 2-28 sectelnet, when available telnet secTempPasswdReset 3-14 Telnet policy secTempPasswdSet 2-28 telnet, when available secTransAbort temporary password Secure Fabric OS 4-11 creating 3-29 aborting a transaction 4-12 removing 2-26 adding a SilkWorm 24000 4-11 using adding to a fabric 4-17 troubleshooting deactivating...

This manual is also suitable for:

Aa979a - storageworks san switch 2/8v Storageworks 2/128 - san director switch Storageworks 2/16n - ff and 2/16n san switch Storageworks 2/16v - san switch Storageworks 2/32 - san switch Storageworks 2/8v - san switch

Brocade Communications Systems A7990A - StorageWorks SAN Director 4/16 Blade Switch Administrator's Manual

Chapter 1 Introducing Secure Fabric os

Chapter 2 Preparing the Fabric for Secure Fabric os

Chapter 3 Enabling Secure Fabric os and Creating Policies

Chapter 4 Managing Secure Fabric os

Appendix A Removing Secure Fabric os Capability

Appendix B Secure Fabric os Commands and Secure Mode

Quick Links

Need help?

Questions and answers

Related Manuals for Brocade Communications Systems A7990A - StorageWorks SAN Director 4/16 Blade Switch

Summary of Contents for Brocade Communications Systems A7990A - StorageWorks SAN Director 4/16 Blade Switch

This manual is also suitable for:

Table of Contents