Connection Security; User Account Security - HP StorageWorks 8/20q Installation And Reference Manual

Fabric security consists of the following:
• Connection
• User account
• Port binding, page 25
• Device security, page 25

Connection security

Connection security provides an encrypted data path for switch management methods. The switch supports
the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol
for management applications such as QuickTools and SMI-S. Use the CLI to configure SSH and SSL. For
more information about SSH and SSL configuration, see the HP StorageWorks 8/20q Fibre Channel
Switch command line interface guide.
The SSL handshake process between the workstation and the switch involves the exchanging of certificates.
These certificates contain the public and private keys that define the encryption. When the SSL service is
enabled, a certificate is automatically created on the switch. The workstation validates the switch certificate
by comparing the workstation date and time to the switch certificate creation date and time. For this
reason, it is important to synchronize the workstation and switch with the same date, time, and time zone.
The switch certificate is valid 24 hours before its creation date and 365 days after its creation date. If the
certificate should become invalid, create a new certificate using the create certificate CLI
command. For information about the create certificate CLI command, see the HP StorageWorks
8/20q Fibre Channel Switch command line interface guide.
NOTE: Simple SAN Connection Manager version 1.0 does not support the SSL service. If SSL is enabled,
you will be unable to manage the switch using this version of Simple SAN Connection Manager.
Consider your requirements for connection security: for the command line interface (SSH), management
applications (SSL), or both. If an SSL connection security is required, also consider using the Network Time
Protocol (NTP) to synchronize workstations and switches.

User account security

User account security consists of the administration of account names, passwords, expiration date, and
authority level. If an account has Admin authority, all management tasks can be performed by that account
in the CLI, QuickTools, and Simple SAN Connection Manager. Otherwise only monitoring tasks are
available. The default account name, Admin, is the only account that can create or add account names
and change passwords of other accounts. All users can change their own passwords. Account names and
passwords are always required when connecting to a switch.
Authentication of the user account and password can be performed locally using the switch's user account
database or it can be done remotely using a RADIUS server such as Microsoft RADIUS. Authenticating user
logins on a RADIUS server requires a secure management connection to the switch. For information about
securing the management connection, see
be used to authenticate devices and other switches as described in
Consider your management needs and determine the number of user accounts, their authority needs, and
expiration dates. Also consider the advantages of centralizing user administration and authentication on a
RADIUS server. Use the CLI to configure RADIUS servers. For more informaton about RADIUS server
configuration, see the HP StorageWorks 8/20q Fibre Channel Switch command line interface guide.
NOTE: If the same user account exists on a switch and its RADIUS server, that user can login with either
password, but the authority and account expiration will always come from the switch database.
24
security, page 24
security, page 24
"Connection security" on page 24. A RADIUS server can also
"Device security" on page 25.