HP StorageWorks 4000/6000/8000 - Enterprise Virtual Arrays Reference Manual page 414

Authentication policy
By default, Fabric OS uses DHCHAP or FCAP for switch authentication. These protocols use shared
secrets and digital certificates, based on switch WWN and PKI technology. Authentication automatically
defaults to FCAP if both switches are configured for FCAP.
Consider the following when configuring authentication with Fabric OS:
Fabric OS 5.3.0 (or later) is required for DHCHAP.
DHCHAP requires the definition of a pair of shared secrets, known as a secret key pair. Each
switch can share a secret key pair with any other switch or host in the fabric.
PKI certificates must be installed on both switches to use FCAP.
DHCHAP and FCAP are not compatible with SLAP, which is the only protocol supported in Fabric
OS 3.1 and 4.2.
Fabric OS 5.3.0 switch-to-switch authentication is backward compatible with 3.2, 4.2, 4.4, 5.0,
5.1, and 5.2.
In the default configuration, FCAP authentication is tried first, then DHCHAP authentication. Each
switch can be configured to negotiate one or both types.
The Authentication policy is designed to accommodate mixed fabric environments that include
switches running Fabric OS 5.3.0 (and earlier).
When the Authorization policy is activated, you cannot implement a B-series Secure Fabric OS
environment.
E_Port Authentication
The E_Port Authentication policy allows you to configure DHCHAP authentication on the switch. By
default, the policy is set to PASSIVE.
Device Authentication policy
The Device Authentication policy is specific to HBAs. Fabric-wide distribution of the Device
Authentication policy is not supported because:
You must set the HBA and switch shared secrets manually.
Most HBAs do not support the defined DH groups used in DHCHAP.
NOTE:
By default, the switches are set to OFF, causing the security bit to be cleared during fabric login.
Zones
For detailed information about B-series switch zoning, see
"Zoning guidelines for B-series
B-series IP SAN
B-series IPsec uses cryptographic security to ensure private, secure communications over IP networks.
Consider the following when using IPsec with B-series switches:
IPsec is disabled by default when creating FCIP tunnels.
IPsec provides greater security with tunneling on the B-series MP Router Blade or MP Router. IPsec
does not require that you configure security for each application that uses TCP/IP. When
nl
configuring IPsec, you must ensure that either an MP Router Blade or MP Router is at each end of
the FCIP tunnel.
414 Storage security
switches" on page 128.