Page 1 user guide hp StorageWorks secure fabric OS version 1.0 Product Version: 1.0 First Edition (June 2003) Part Number: AA–RU57A–TE This user guide outlines how to set up the Secure Fabric OS feature in an existing Storage Area Network (SAN). Topics discussed include activating the Secure Fabric OS license and creating Secure Fabric policies.
Page 2 © Copyright 1999-2003 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Page 3: Table Of Contents
contents Contents About this Guide........... .7 Overview.
Page 4 Contents Customizing the Account Passwords ........29 Verifying or Activating the Secure Fabric OS and Zoning Licenses.
Page 5 Contents Managing Secure Fabric OS ......... .83 Viewing Secure Fabric OS-Related Information .
Page 6 Contents Index ............127 Tables Document Conventions .
Page 7: About This Guide
about this guide About this Guide This user guide provides information to help you: Create policies to customize fabric management access. About this Guide Specify specific switches and devices. Manage the fabric-wide Secure Fabric OS parameters through a single switch. Enable and disable Secure Fabric OS as desired.
Page 8: Overview
About this Guide Overview This section covers the following topics: Intended Audience Related Documentation Intended Audience This book is intended for use by System Administrators who are experienced with the following: HP StorageWorks Fibre Channel SAN Switches. HP StorageWorks Fabric OS v3.1.x or later. Related Documentation For a list of related documents included with this product, see the “Related Documents”...
Page 9: Conventions
About this Guide Conventions Conventions consist of the following: Document Conventions Text Symbols Document Conventions The document conventions included in Table 1 apply in most cases. Table 1: Document Conventions Element Convention Cross-reference links Blue text: Figure 1 Key and field names, menu items, Bold buttons, and dialog box titles Italics...
Page 10 About this Guide Note: Text set off in this manner presents commentary, sidelights, or interesting points of information. Secure Fabric OS Version 1.0 User Guide...
Page 11: Getting Help
About this Guide Getting Help If you still have a question after reading this guide, contact an HP authorized service provider or access our website: http://www.hp.com. HP Technical Support Telephone numbers for worldwide technical support are listed on the following HP website: http://www.hp.com/support/.
Page 12 About this Guide Secure Fabric OS Version 1.0 User Guide...
Page 13: Introducing Secure Fabric Os
Introducing Secure Fabric OS Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on an HP StorageWorks fabric. Secure Fabric OS allows the administrator to: Create policies to customize fabric management access and to specify which switches and devices can join the fabric View statistics related to attempted policy violations Manage the fabric-wide Secure Fabric OS parameters through a single switch...
Page 14: Security Of Management Channels
Introducing Secure Fabric OS Security of Management Channels You can use Secure Fabric OS to increase the security of the local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, Management Server, and a supported command line interface (CLI) client such as sectelnet.
Page 15: Sectelnet
Introducing Secure Fabric OS Note: The first time a SSH client is launched, a message displays indicating that the server’s host key is not cached in the registry. For more information about SSH, refer to the HP StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide.
Page 16: Switch-To-Switch Authentication Using Pki
Introducing Secure Fabric OS Switch-to-Switch Authentication Using PKI Secure Fabric OS uses digital certificates based on PKI and switch World Wide Names (WWNs) to identify the authorized switches and prevent the addition of unauthorized switches to the fabric. A PKI Certificate Installation utility (PKICERT) is provided for generating Certificate Signing Requests (CSRs) and installing digital certificates on switches.
Page 17: Fabric Configuration Server Switches
Introducing Secure Fabric OS Fabric Configuration Server Switches Fabric Configuration Server (FCS) switches are one or more switches that you specify as trusted switches (switches that are in a physically secure area) for use in managing Secure Fabric OS. These switches should be both electronically and physically secure.
Page 18 Introducing Secure Fabric OS switch available. You can designate a single Primary FCS switch and as many Backup FCS switches as desired; however, all FCS switches should be physically secure. Any switches not listed in the FCS policy are defined as Non-FCS switches. Root and Factory accounts are disabled on Non-FCS switches.
Page 19: Fabric Management Policy Set
Introducing Secure Fabric OS Fabric Management Policy Set Secure Fabric OS supports the creation of a number of specific policies that you can use to customize specific aspects of the fabric. Each supported policy is recognized by a specific name. By default, only the FCS policy exists when Secure Mode is first enabled.
Page 20 Introducing Secure Fabric OS — Management Server policy: Restricts management server access to specified devices. — Serial Port policy: Restricts serial port access to specified switches. — Front Panel policy: Restricts front panel access to switches that are physically secure. Options policy: You can use this policy to specify the types of WWNs that can be used for zoning.
Page 21: Adding Secure Fabric Os To The Fabric
Adding Secure Fabric OS to the Fabric Secure Fabric OS is supported by Fabric OS v2.6.1, v3.1.x, and v4.1.x, and can be added to fabrics that contain any combination of these versions. The procedure for adding Secure Fabric OS to a switch depends on whether the switch is shipped with one of these versions installed or requires upgrading.
Page 22: Adding Secure Fabric Os To The Fabric
Adding Secure Fabric OS to the Fabric Adding Secure Fabric OS to the Fabric To implement Secure Fabric OS in a fabric, each switch in the fabric must have the following: A compatible version of Fabric OS An activated Secure Fabric OS security license An activated Zoning license (zoning is essential to Secure Fabric OS mechanisms) The required PKI objects...
Page 23: Identifying The Current Version Of Fabric Os
Adding Secure Fabric OS to the Fabric Identifying the Current Version of Fabric OS Before continuing, identify the version of Fabric OS on each switch in the fabric and determine which switches must be upgraded. To upgrade a switch, see “Upgrading to a Compatible Version of Fabric OS”...
Page 24: Adding Secure Fabric Os To Switches Shipped With Fabric Os V3.1.X Or V4.1.X
Adding Secure Fabric OS to the Fabric Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x This section applies to the following switches: StorageWorks SAN Switch 2/8 EL or StorageWorks SAN Switch 2/16 shipped with Fabric OS v3.1.x StorageWorks SAN Switch 2/32 shipped with Fabric OS v4.1.x All switches that are shipped with Fabric OS v3.1.x or v4.1.x installed already have the required PKI objects and a digital certificate.
Page 25: Verifying Or Activating The Secure Fabric Os And Zoning Licenses
Adding Secure Fabric OS to the Fabric To log in and change the passwords: 1. Open a CLI connection (serial or telnet) to the switch. 2. Log into the switch as Admin. The default password is password. The firmware prompts you to change all passwords. 3.
Page 26 Adding Secure Fabric OS to the Fabric Example: switch:admin> licenseshow 1A1AaAaaaAAAA1a: Web license Zoning license Trunking license Security license switch:admin> 4. If the Secure Fabric OS and Zoning licenses are already listed, the features are already available and you do not need to complete the remaining steps. If either license is not listed, continue with step 5.
Page 27: Adding Secure Fabric Os To Switches That Require Upgrading
Adding Secure Fabric OS to the Fabric Adding Secure Fabric OS to Switches that Require Upgrading This section applies to the following switches: HP StorageWorks switches running Fabric OS v2.6.1 HP StorageWorks switches running a Fabric OS previous to v3.1.x HP StorageWorks switches running a Fabric OS previous to v4.1.x To set up the Secure Fabric OS on a switch that was shipped without Fabric OS v3.1.x or v4.1.x preinstalled:...
Page 28: Upgrading To A Compatible Version Of Fabric Os
Adding Secure Fabric OS to the Fabric 9. Distribute the certificates to the switches, as described in “Distributing Digital Certificates to the Switches” on page 35. 10. Verify that digital certificates are installed on all the switches, as described in “Verifying Installation of the Digital Certificates”...
Page 29: Customizing The Account Passwords
Adding Secure Fabric OS to the Fabric 6. Download the required firmware from the computer to the switch. The download process depends on the type of switch and management interface. Refer to the HP StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide for download instructions specific to the type of switch and management interface.
Page 30: Verifying Or Activating The Secure Fabric Os And Zoning Licenses
Adding Secure Fabric OS to the Fabric 3. Change all the passwords to secure passwords, using between 8 and 40 alphanumeric characters for each password, with a different password for each account. The new passwords must be different from the default values. Note: Record the passwords and store in a secure place.
Page 31: Using The Pkicert Utility To Obtain The Csr File
Adding Secure Fabric OS to the Fabric Using the PKICERT Utility to Obtain the CSR File The PKICERT utility makes it possible to retrieve CSRs from all the switches in the fabric and save them into a CSR file in XML format. Note: If this procedure is interrupted by a switch reboot, the CSR file is not generated and the procedure must be repeated.
Page 32 Adding Secure Fabric OS to the Fabric 3. Type 1 to select CSR retrieval and press Enter. The utility prompts for the method of specifying fabric addresses. Example: PKI CERTIFICATE INSTALLATION UTILITY 1.0.1 Choose a method for providing fabric addresses 1) Manually enter fabric address 2) Read addresses from a file (name to be given) q) Quit PKI Certificate installation utility...
Page 33 Adding Secure Fabric OS to the Fabric Example: PKI CERTIFICATE INSTALLATION UTILITY 1.0.1 GET CERTIFICATE SIGNING REQUESTS Enter the Path/file-name of the CSR output file to create. (Note: an extension of '.xml' will be appended to your name) ===> 5. Type the desired path and filename for the CSR file to be created, then enter y if the address was entered correctly.
Page 34: Obtaining The Digital Certificate File
Adding Secure Fabric OS to the Fabric 8. Press Enter to return to the Functions screen. Example: PKI CERTIFICATE INSTALLATION UTILITY 1.0.1 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) Generate a Licensed-Product/Installed- Certificates report 4) Help using PKI-Cert to get &...
Page 35: Distributing Digital Certificates To The Switches
Adding Secure Fabric OS to the Fabric Distributing Digital Certificates to the Switches You can use the PKICERT utility to distribute the digital certificates to the switches in the fabric. The utility ensures that each digital certificate is installed on the correctly corresponding switch. If the utility is run without any task argument, it defaults to Interactive User mode, in which it prompts for the required input.
Page 36 Adding Secure Fabric OS to the Fabric Example: PKI CERTIFICATE INSTALLATION UTILITY 1.0.1 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) Generate a Licensed-Product/Installed- Certificates report 4) Help using PKI-Cert to get & install certificates q) Quit PKI Certificate installation utility Enter choice>...
Page 37 Adding Secure Fabric OS to the Fabric To read the fabric addresses from a file: a. Type 2 and press Enter. The utility prompts for the path and filename of the file. The addresses in the file must be IP addresses or switch names, each on a separate line. b.
Page 38: Verifying Installation Of The Digital Certificates
Adding Secure Fabric OS to the Fabric Note: Sectelnet can be used as soon as a digital certificate is installed on the switch. 7. Press Enter to return to the Functions screen. Example: PKI CERTIFICATE INSTALLATION UTILITY 1.0.1 FUNCTIONS 1) Retrieve CSRs from switches & write a CSR file 2) Install Certificates contained in a Certificate file 3) Generate a Licensed-Product/Installed- Certificates report 4) Help using PKI-Cert to get &...
Page 39: Re-Creating Pki Objects If Required
Adding Secure Fabric OS to the Fabric switch:admin> pkishow Passphrase : Exist Private Key : Exist : Exist Certificate : Exist Root Certificate: Exist switch:admin> Displaying PKI objects on Fabric OS v2.6.1 and v3.1.x: switch:admin> configshow “pki” Passphrase : Exist Private Key : Exist : Exist...
Page 40 Adding Secure Fabric OS to the Fabric 2. Enter the pkicreate command. If the switch is a Core Switch 2/64, enter this command on both logical switches. The pkicreate command does not work if Secure Mode is already enabled. 3. Enter the pkishow command. If the switch is a Core Switch 2/64, enter this command on both logical switches.
Page 41: Adding Secure Fabric Os To A Core Switch 2/64
Adding Secure Fabric OS to the Fabric Adding Secure Fabric OS to a Core Switch 2/64 This procedure applies to all Core Switch 2/64 switches, whether they are shipped with Fabric OS v4.1.x or require upgrading to Fabric OS v4.1.x. If Secure Fabric OS is utilized on one of the logical switches in a Core Switch Note: 2/64, it must be utilized on the other logical switch if they are in the same fabric, and is...
Page 42 Adding Secure Fabric OS to the Fabric Example: switch:admin> version Kernel: 2.4.2 Fabric OS: v4.0.2 Made on: Fri Feb 1 23:02:08 2002 Flash: Fri Feb 1 18:03:35 2002 BootProm: 4.1.13b switch:admin> switch:admin> firmwareshow Local CP (Slot 5, CP0): Active Primary partition: v4.0.2 Secondary Partition: v4.0.2 Remote CP (Slot 6, CP1): Standby Primary partition: v4.0.2...
Page 43 Adding Secure Fabric OS to the Fabric d. Repeat for the other logical switch. Example: switch0:admin> tsclockserver "132.163.135.131" switch:admin> tsclockserver 132.163.135.131 switch0:admin> switch0:admin>login login: admin Password: xxxxxx switch1:admin> tsclockserver "132.163.135.131" switch1:admin> tsclockserver 132.163.135.131 switch1:admin> 6. Using the procedure described in “Verifying or Activating the Secure Fabric OS and Zoning Licenses”...
Page 44 Adding Secure Fabric OS to the Fabric e. Verify that the digital certificates are installed on both logical switches, as described in “Verifying Installation of the Digital Certificates” on page 38. The pkishow command referenced in this procedure must be executed from both logical switches.
Page 45: Installing A Supported Cli Client On A Computer Workstation
Adding Secure Fabric OS to the Fabric Installing a Supported CLI Client on a Computer Workstation Standard telnet sessions work only until Secure Mode is enabled. Once Secure Mode is enabled, you can use the following telnet clients: Sectelnet—A secure form of telnet that is supported for switches running Fabric OS v2.6.1, v3.1.x, or v4.1.x.
Page 46 Adding Secure Fabric OS to the Fabric Secure Fabric OS Version 1.0 User Guide...
Page 47: Creating Secure Fabric Os Policies
Creating Secure Fabric OS Policies You can use the Secure Fabric OS policies to customize access to the fabric. The FCS policy is the only required policy; all other policies are optional. Implementing Secure Fabric OS policies involves the following steps: Determining which trusted switch you want to use to manage Secure Fabric OS.
Page 48: Default Fabric And Switch Accessibility
Creating Secure Fabric OS Policies Default Fabric and Switch Accessibility Following is the default fabric and switch access when Secure Mode is enabled but no additional Secure Fabric OS policies are customized: Switches: — Only the designated switch can be used to make Secure Fabric OS changes.
Page 49: Enabling Secure Mode
Creating Secure Fabric OS Policies Enabling Secure Mode Secure Mode is enabled and disabled on a fabric-wide basis. You can enable and disable Secure Mode as often as desired; however, all Secure Fabric OS policies, including the FCS policy, are deleted each time Secure Mode is disabled, and must be re-created the next time it is enabled.
Page 50 Creating Secure Fabric OS Policies The following restrictions apply when Secure Mode is enabled: Standard telnet cannot be used after Secure Mode is enabled. However, sectelnet can be used as soon as a digital certificate is installed on the switch. SSH can be used at any time.
Page 51 Creating Secure Fabric OS Policies 3. Open a sectelnet or SSH connection to the switch that you intend to be the Primary FCS switch. The login prompt displays. Note: Most Secure Fabric OS commands must be executed on the Primary FCS switch. You can enter the secmodeenable command through a sectelnet or SSH connection only.
Page 52 Creating Secure Fabric OS Policies Note: Record the passwords and store in a secure place. Recovering passwords may require significant effort and result in fabric downtime. For a sample CLI session, see the example provided on the following page. The example enables Secure Mode and specifies three FCS switches, one each by Domain ID, WWN, and switch name, on Fabric OS v3.1.x (v4.1.x may differ slightly), using the command’s interactive mode.
Page 53 Creating Secure Fabric OS Policies Saving Defined FMPS ... done Saving Active FMPS ... done Committing configuration...done. Secure mode is enabled. Saving passwd...done. Rebooting... primaryfcs:admin> Secure Fabric OS Version 1.0 User Guide...
Page 54: Modifying The Fcs Policy
Creating Secure Fabric OS Policies Modifying the FCS Policy Only one FCS policy can exist, and it cannot be empty or deleted if Secure Mode is enabled. The FCS policy is named FCS_POLICY. Changes made to the FCS policy are saved to permanent memory only after the changes have been saved or activated, and can be aborted if desired (see “Managing Secure Fabric OS Policies”...
Page 55: Changing The Position Of A Switch Within The Fcs Policy
Creating Secure Fabric OS Policies Changing the Position of a Switch Within the FCS Policy You can change the order in which switches are listed in the FCS policy using the secpolicyfcsmove command. The list order determines which Backup FCS switch becomes the Primary FCS switch if the current Primary FCS switch fails.
Page 56: Failing Over The Primary Fcs Switch
Creating Secure Fabric OS Policies Example, moving a Backup FCS switch from position 2 to position 3 in the FCS list using interactive mode: primaryfcs:admin> secpolicyfcsmove Primary swName. ================================================= 10:00:00:60:69:10:02:18 switch5. 10:00:00:60:69:00:00:5a switch60. 10:00:00:60:69:00:00:13 switch73. Please enter position you’d like to move from : (1..3) [1] 2 Please enter position you’d like to move to : (1..3) [1] 3 ____________________________________________________ DEFINED POLICY SET...
Page 57 Creating Secure Fabric OS Policies To fail over the Primary FCS switch: 1. From a sectelnet or SSH session, log in as Admin to the Backup FCS switch that you want to designate as the new Primary FCS switch. 2. Enter the secfcsfailover command. The Backup FCS switch becomes the new Primary FCS switch, and the FCS policy is modified so that the new and previous Primary FCS switches have exchanged places.
Page 58: Creating Secure Fabric Os Policies Other Than The Fcs Policy
Creating Secure Fabric OS Policies Creating Secure Fabric OS Policies Other Than the FCS Policy The FCS policy is automatically created when Secure Mode is enabled. You can create the other Secure Fabric OS policies after Secure Mode is enabled. The member list of each policy determines the devices or switches to which the policy applies.
Page 59: Creating A Mac Policy
Creating Secure Fabric OS Policies Table 3: Valid Methods for Specifying Policy Members Device Port Switch Domain Switch Policy Name Address Names FCS_POLICY MAC Policies RSNMP_POLICY WSNMP_POLICY TELNET_POLICY HTTP_POLICY API_POLICY MS_POLICY SERIAL_POLICY FRONTPANEL_POLICY For information about valid input, see “Creating an OPTIONS_POLICY Options Policy”...
Page 60: Creating An Snmp Policy
Creating Secure Fabric OS Policies Note: Providing fabric access to proxy servers is strongly discouraged. When a proxy server is included in a MAC policy for IP-based management, such as the HTTP_POLICY, all IP packets leaving the proxy server appear to originate from the proxy server.
Page 61 Creating Secure Fabric OS Policies Table 4: Read and Write Behaviors of SNMP Policies (Continued) WSNMP RSNMP Policy Policy Read Result Write Result Empty Non-existent This combination is not supported. If the WSNMP policy is not defined the next time the Secure Fabric OS policies are saved or activated, the RSNMP policy fails.
Page 62: Telnet Policy
Creating Secure Fabric OS Policies Example: Creating a WSNMP and an RSNMP policy to allow only IP addresses that match 192.168.5.0 read and write access to the fabric: primaryfcs:admin> secPolicyCreate "WSNMP_POLICY", "192.168.5.0" WSNMP_POLICY has been created. primaryfcs:admin> primaryfcs:admin> secPolicyCreate "RSNMP_POLICY", "192.168.5.0" RSNMP_POLICY has been created.
Page 63: Telnet Policy States
Creating Secure Fabric OS Policies Table 5: Telnet Policy States Policy State Description No policy Any host can connect by sectelnet or SSH to the fabric. Policy with no entries No host can connect by sectelnet or SSH to the fabric. Policy with entries Only specified hosts can connect by sectelnet or SSH to the fabric.
Page 64: Http Policy
Creating Secure Fabric OS Policies HTTP Policy You can create the HTTP policy to specify which workstations can use HTTP to access the fabric. This is useful for applications that use internet browsers, such as Web Tools. The policy is named HTTP_POLICY and contains a list of IP addresses for devices and workstations that are allowed to establish HTTP connections to the switches in the fabric.
Page 65: Api Policy
Creating Secure Fabric OS Policies Example, creating an HTTP policy to allow anyone on a network “192.168.5.0/24” to establish an HTTP connection to any switch in the fabric: primaryfcs:admin> secPolicyCreate "HTTP_POLICY", "192.168.5.0" HTTP_POLICY has been created. primaryfcs:admin> API Policy The API policy can be used to specify which workstations can use API to access the fabric and to limit write access to the Primary FCS.
Page 66: Management Server Policy
Creating Secure Fabric OS Policies 3. To save or activate the new policy, enter the secpolicysave or the secpolicyactivate command. If neither of these commands are entered, the changes are lost when you log out. For more information about these commands, see “Saving Changes to Secure Fabric OS Policies”...
Page 67: Serial Port Policy
Creating Secure Fabric OS Policies 3. To save or activate the new policy, enter the secpolicysave or the secpolicyactivate command. If neither of these commands are entered, the changes are lost when you log out. For more information about these commands, see “Saving Changes to Secure Fabric OS Policies”...
Page 68: Front Panel Policy
Creating Secure Fabric OS Policies To create a Serial Port policy: 1. From a sectelnet or SSH session, log into the Primary FCS switch as Admin. 2. Enter the following: secpolicycreate policy_name, “member;...;member” Where: policy_name is SERIAL_POLICY. member is a switch WWN, domain ID, or switch name. If a domain ID or switch name is used to specify a switch, the associated switch must be present in the fabric for the command to succeed.
Page 69: Front Panel Policy States
Creating Secure Fabric OS Policies Table 10: Front Panel Policy States Policy State Characteristics No policy All the switches in the fabric have front panel access enabled. Policy with no entries All the switches in the fabric have front panel access disabled.
Page 70: Creating An Options Policy
Creating Secure Fabric OS Policies Creating an Options Policy You can create an Options policy to specify whether Node WWNs can be used to add members to zones. The use of node WWNs can introduce ambiguity because the node WWN may also be used for one of the device ports, as may be true with a host bus adapter (HBA).
Page 71: Creating A Dcc Policy
Creating Secure Fabric OS Policies Example: primaryfcs:admin> secPolicyCreate “OPTIONS_POLICY”, “NoNodeWWNZoning” OPTIONS_POLICY has been created. primaryfcs:admin> Creating a DCC Policy You can create DCC policies to manage which device ports are allowed to connect to which switch ports. The devices can be initiators, targets, or intermediate devices such as SCSI routers and loop hubs.
Page 72: Dcc Policy States
Creating Secure Fabric OS Policies Table 12: DCC Policy States Policy State Characteristics No policy Any device can connect to any switch port in the fabric. Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy.
Page 73 Creating Secure Fabric OS Policies [*] Selects all ports and all devices attached to those ports. [3, 9] Selects ports 3 and 9 and all devices attached to those ports. [1-3, 9] Selects ports 1, 2, 3, 9, and all devices attached to those ports. 3.
Page 74: Creating An Scc Policy
Creating Secure Fabric OS Policies Creating an SCC Policy You can create an SCC policy to manage which switches can join the fabric. Switches are checked against the policy each time: Secure Mode is enabled. The fabric is initialized with Secure Mode enabled. An E_Port to E_Port connection is made.
Page 75 Creating Secure Fabric OS Policies 3. To save or activate the new policy, enter the secpolicysave or the secpolicyactivate command. If neither of these commands are entered, the changes are lost when you log out. For more information about these commands, see “Saving Changes to Secure Fabric OS Policies”...
Page 76: Managing Secure Fabric Os Policies
Creating Secure Fabric OS Policies Managing Secure Fabric OS Policies All Secure Fabric OS transactions can be performed through the Primary FCS switch only, except for sectransabort, secfcsfailover, secstatsreset, and secstatsshow. You can create multiple sessions to the Primary FCS switch, from one or more hosts.
Page 77: Saving Changes To Secure Fabric Os Policies
Creating Secure Fabric OS Policies Aborting a Secure Fabric OS Transaction, page 81 From any switch in the fabric, abort a Secure Fabric OS-related transaction that has become frozen (such as due to a failed host) and is preventing other Secure Fabric OS transactions.
Page 78: Adding A Member To An Existing Policy
Creating Secure Fabric OS Policies To activate changes to the Secure Fabric OS policies: 1. From a sectelnet or SSH session, log into the Primary FCS switch as Admin. 2. Enter the secpolicyactivate command. Example: primaryfcs:admin> secPolicyActivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Committing configuration...done.
Page 79: Removing A Member From A Policy
Creating Secure Fabric OS Policies Adding an SNMP manager to WSNMP_POLICY: primaryfcs:admin> secPolicyAdd "WSNMP_POLICY", "192.168.5.21" Member(s) have been added to WSNMP_POLICY. primaryfcs:admin> Adding 2 devices to the DCC policy, to attach Domain 3’s ports 1 and 3 (WWNs of devices are 11:22:33:44:55:66:77:aa and 11:22:33:44:55:66:77:bb): primaryfcs:admin>...
Page 80: Deleting A Policy
Creating Secure Fabric OS Policies Deleting a Policy If you delete a Secure Fabric OS policy, that aspect of the fabric becomes open to all access. To delete a Secure Fabric OS policy: 1. From a sectelnet or SSH session, log into the Primary FCS switch as Admin. 2.
Page 81: Aborting A Secure Fabric Os Transaction
Creating Secure Fabric OS Policies Example: primaryfcs:admin> secPolicyAbort Unsaved data has been aborted. primaryfcs:admin> Aborting a Secure Fabric OS Transaction You can use the sectransabort command to abort a single Secure Fabric OS transaction. This makes it possible to abort a transaction that has become frozen due to a failed host (if a switch goes down, the transaction aborts by default).
Page 82 Creating Secure Fabric OS Policies Secure Fabric OS Version 1.0 User Guide...
Page 83: Managing Secure Fabric Os
Managing Secure Fabric OS Secure Fabric OS v2.6.1, v3.1.x, and v4.1.x can be managed through Fabric Manager and sectelnet. In addition, SSH is supported for Fabric OS v4.1.x. When Secure Mode is enabled, all Secure Fabric OS administrative operations, all Zoning commands, and some Management Server commands must be executed on the Primary FCS switch.
Page 84: Viewing Secure Fabric Os-Related Information
Managing Secure Fabric OS Viewing Secure Fabric OS-Related Information You can view the following Secure Fabric OS-related information in relation to a fabric: General Secure Fabric OS-related information about a fabric The Secure Fabric OS policy sets (Active and Defined) Information about one or more Secure Fabric OS policies For information about viewing the Secure Fabric OS statistics, see “Displaying...
Page 85: Viewing The Secure Fabric Os Policy Database
Managing Secure Fabric OS Viewing the Secure Fabric OS Policy Database You can use the secpolicydump command to display the Secure Fabric OS policy database, which consists of the Active and Defined Security Policy Sets. This command displays information without page breaks. To view the Secure Fabric OS policy database: 1.
Page 86: Displaying Individual Secure Fabric Os Policies
Managing Secure Fabric OS Example, displaying all policies in both Active and Defined Policy Sets. primaryfcs:admin> secPolicyDump ____________________________________________________ DEFINED POLICY SET FCS_POLICY Primary swName __________________________________________________ 10:00:00:60:69:30:15:5c primaryfcs HTTP_POLICY IpAddr __________________________________________________ 192.555.52.0 ____________________________________________________ ____________________________________________________ ACTIVE POLICY SET FCS_POLICY Primary swName __________________________________________________ 10:00:00:60:69:30:15:5c primaryfcs HTTP_POLICY...
Page 87 Managing Secure Fabric OS To display information about a specific Secure Fabric OS policy: 1. From a sectelnet or SSH session, log into the Primary FCS switch as Admin. 2. Enter the following: secpolicyshow listtype, policy_name Where: listtype is the type of Secure Fabric OS policy set, and can be “Active”, “Defined”, or an asterisk (*), which displays both versions of the specified policy.
Page 88: Displaying Status Of Secure Mode
Managing Secure Fabric OS primaryfcs:admin> secPolicyshow "active","FCS_POLICY" ____________________________________________________ ACTIVE POLICY SET FCS_POLICY Primary swName __________________________________________________ 10:00:00:60:69:30:15:5c primaryfcs ____________________________________________________ primaryfcs:admin> Displaying Status of Secure Mode You can use the secmodeshow command to determine whether Secure Mode is enabled. To determine whether Secure Mode is enabled: 1.
Page 89 Managing Secure Fabric OS Table 14: Secure Mode Information Column Heading Indicates WWN of each FCS switch Domain ID of each FCS switch swName Switch name of each FCS switch Secure Fabric OS Version 1.0 User Guide...
Page 90: Displaying And Resetting Secure Fabric Os Statistics
Managing Secure Fabric OS Displaying and Resetting Secure Fabric OS Statistics You can view a number of statistics regarding attempted violations of the Secure Fabric OS policies. Attempted policy violations include events such as the following: A DCC policy exists that defines which devices are authorized to access which switch (port) combinations, and a device that is not listed in the policy tries to access one of the defined switch (port) combinations.
Page 91: Displaying Secure Fabric Os Statistics
Managing Secure Fabric OS Table 15: Secure Fabric OS Statistics (Continued) Statistic Definition INVALID_TS A received packet has a timestamp that differs from the time of the (invalid timestamps) receiving switch by more than the maximum allowed difference. INVALID_SIGN A received packet has a bad signature. (invalid signatures) INVALID_CERT A received certificate is not properly signed by the root CA of the...
Page 92: Resetting Secure Fabric Os Statistics
Managing Secure Fabric OS To display Secure Fabric OS statistics: 1. Log into any switch as Admin from a sectelnet or SSH session. 2. Enter the following: secstatsshow name, list Where: name is the name of a Secure Fabric OS statistic or the policy that relates to the statistic.
Page 93 Managing Secure Fabric OS 3. Reset the statistics by entering the following: secstatsreset name, list Where: name is the name of the statistic or the policy that relates to the statistic. The valid statistic names are listed in Table 15. You can enter an asterisk (*) to indicate all Secure Fabric OS statistics.
Page 94: Managing Passwords
Managing Secure Fabric OS Managing Passwords When Secure Mode is enabled, the following conditions apply: The passwd command can be entered only on the Primary FCS switch. The Root and Factory accounts can be accessed only from the FCS switches (attempting to use them from a Non-FCS switch generates an error message).
Page 95: Login Account Behavior With Secure Mode Disabled And Enabled
Managing Secure Fabric OS Table 16: Login Account Behavior with Secure Mode Disabled and Enabled Login Account Secure Mode Disabled Secure Mode Enabled User Available on all switches. Available on all switches. Can create temporary passwords. Recommended for all Password is specific to each non-administrative options.
Page 96: Modifying Passwords In Secure Mode
Managing Secure Fabric OS Modifying Passwords in Secure Mode The passwd command can be used to modify the fabric-wide User password and the passwords for the FCS switches. The secnonfcspasswd can be used to modify the Admin password for Non-FCS switches. Modifying the FCS Switch Passwords or the Fabric-wide User Password You can use the passwd command to modify the passwords for the following accounts when Secure Mode is enabled:...
Page 97: Modifying The Non-Fcs Switch Admin Password
Managing Secure Fabric OS Modifying the Non-FCS Switch Admin Password You can modify the password for the Admin account on Non-FCS switches using the secnonfcspasswd command. Secure Mode must be enabled to use this command. To modify the Admin password for Non-FCS switches: 1.
Page 98: Creating A Temporary Password For A Switch
Managing Secure Fabric OS Creating a Temporary Password for a Switch You can create a temporary password using the sectemppasswdset command. You must specify a login account and a switch Domain ID. To create a temporary Admin password on a Non-FCS switch: 1.
Page 99: Removing A Temporary Password From A Switch
Managing Secure Fabric OS Removing a Temporary Password from a Switch You can use the sectemppasswdreset command to remove the temporary password. The regular password remains in effect. To remove the temporary password from a switch: 1. From a sectelnet or SSH session, log into the Primary FCS switch as Admin. 2.
Page 100: Resetting The Version Number And Time Stamp
Managing Secure Fabric OS Resetting the Version Number and Time Stamp When a change is made to any information in the Secure Fabric OS database (zoning, policies, passwords, or SNMP), the current time stamp and a version number are attached to the Secure Fabric OS database. This information is used to determine which database is preserved when two or more fabrics are merged.
Page 101: Adding Switches And Merging Secure Fabrics
Managing Secure Fabric OS Adding Switches and Merging Secure Fabrics If it becomes necessary to add a switch to a fabric, or to merge fabrics in order to simplify management or share fabric resources, then all switches and fabrics must be in the same state regarding Secure Mode and must have an identical FCS policy before they can be merged into one fabric.
Page 102: Moving Switches Between Fabrics
Managing Secure Fabric OS Table 17: Moving Switches Between Fabrics If moved into a If moved into a fabric that has fabric that has Secure Mode Secure Mode If set up as a enabled but no enabled and a If moved into standalone FCS switches functioning...
Page 103 Managing Secure Fabric OS To merge fabrics that have Secure Fabric OS implemented: Note: This procedure does not require rebooting the fabric. However, there is potential for segmentation or other disruption to the fabric due to the number of factors involved in the merge process.
Page 104 Managing Secure Fabric OS 4. Ensure that the Management Server services that are enabled and disabled are consistent across all the switches to be merged. For information about Management Server support provided by Fabric OS, refer to the HP StorageWorks Fabric OS Version 3.1.x/4.1.x Reference Guide. 5.
Page 105 Managing Secure Fabric OS 9. Determine which switches you want to designate as Primary FCS and Backup FCS switches for the merged fabric, then modify the FCS policy for each existing fabric to show these switches as the Primary FCS and Backup FCS switches.
Page 106: Troubleshooting
Managing Secure Fabric OS Troubleshooting Some of the most likely issues with Secure Fabric OS management and the recommended actions are described in Table 18. The information in the table is based on the assumption that the fabric was originally fully functional and Secure Mode was enabled.
Page 107 Managing Secure Fabric OS Table 18: Recovery Processes (Continued) Symptom Likely Problem Recommended Actions A device listed in Port may be Enter the switchshow command. If the port in the DCC policy disabled. question is disabled, enter the portenable command. cannot be accessed.
Page 108: Frequently Asked Questions
Managing Secure Fabric OS Frequently Asked Questions This sections provides answers to questions that are frequently asked about the Secure Fabric product. General Is Secure Fabric OS standards-based? Yes. Secure Fabric OS utilizes standards-based security mechanisms and protocols. What additional information is available for Secure Fabric OS? In addition to this document, the following information about fabric security and the Secure Fabric OS product is available: Visit http://www.hp.com/.
Page 109: Management Access
Managing Secure Fabric OS Fabric Manager Web Tools Fabric Access (API) Does Secure Fabric OS prevent all unauthorized access? There is no 100% protection in any network. However, the Secure Fabric OS product makes it possible for the administrator to create a significantly increased level of security that is customized to the fabric.
Page 110: Digital Certificates And Pki Objects
Managing Secure Fabric OS Can I use standard telnet when Secure Mode is enabled? No, standard telnet is not supported when Secure Mode is enabled. However, sectelnet is supported for Fabric OS v2.6.1, v3.1.x, and v4.1.x, and SSH is also supported for v4.1.x. Is SSH part of the Secure Fabric OS feature? No, SSH is automatically included with Fabric OS v4.1.x, regardless of whether the Secure Fabric OS license is activated.
Page 111: Merging Fabrics
Managing Secure Fabric OS certificate is deleted, it must be reinstalled on the switch according to the instructions provided under “Distributing Digital Certificates to the Switches” on page 35. Are PKI objects required for any switch operations other than Secure Fabric OS? The PKI objects are required only for Secure Fabric OS and the sectelnet client.
Page 112 Managing Secure Fabric OS Secure Fabric OS Version 1.0 User Guide...
Page 113: A Secure Fabric Os Commands And Secure Mode Restrictions
Secure Fabric OS Commands and Secure Mode Restrictions Secure Fabric OS commands, zoning commands, and some Management Server commands must be entered through the Primary FCS switch. This appendix provides the following information: Secure Fabric OS Commands, page 114 Command Restrictions in Secure Mode, page 117 For more detailed information about commands, refer to the HP StorageWorks Fabric OS Version 3.1.x/4.1.x Reference Guide.
Page 114: Secure Fabric Os Commands
Secure Fabric OS Commands and Secure Mode Restrictions Secure Fabric OS Commands You can use the Secure Fabric OS commands to: Enable and disable Secure Mode Fail over the Primary FCS switch Create and modify Secure Fabric OS policies View all Secure Fabric OS-related information Modify passwords Create and remove temporary passwords View and reset Secure Fabric OS statistics...
Page 115 Secure Fabric OS Commands and Secure Mode Restrictions Table 19: Secure Fabric OS Commands (Continued) Available when Secure Mode is Command Description Disabled? Disables Secure Mode. See “Disabling Secure Mode” secmodedisable on page 123. Enables Secure Mode. See “Enabling Secure Mode”...
Page 116 Secure Fabric OS Commands and Secure Mode Restrictions Table 19: Secure Fabric OS Commands (Continued) Available when Secure Mode is Command Description Disabled? Saves all policy changes since either secpolicysave secpolicysave or secpolicyactivate were last issued. All policy changes that are saved but not activated are stored in the Defined Security Policy Set.
Page 117: Command Restrictions In Secure Mode
Secure Fabric OS Commands and Secure Mode Restrictions Command Restrictions in Secure Mode This section provides information about the restrictions that Secure Mode places on commands. Any commands not listed here can be executed on any switch whether or not Secure Mode is enabled. Secure Fabric OS Commands Table 20 indicates the Secure Fabric OS commands that can be executed on...
Page 118: Zoning Commands
Secure Fabric OS Commands and Secure Mode Restrictions Table 20: Secure Fabric OS Commands Executable on Specific Switches When Secure Mode Is Enabled (Continued) Command Primary FCS switch Backup FCS switch Non-FCS switch secpolicyshow secstatsreset secstatsshow sectemppasswdreset sectemppasswdset sectransabort Only if no FCS switch secversionreset is available.
Page 119: Miscellaneous Commands
Secure Fabric OS Commands and Secure Mode Restrictions Miscellaneous Commands Table 22 lists the miscellaneous commands, including Management Server and SNMP commands, that can be executed on specific switches. Commands not listed here (or in the preceding two tables) can be executed on any switch. Table 22: Miscellaneous Commands Executable on Specific Switches Command Primary FCS switch...
Page 120 Secure Fabric OS Commands and Secure Mode Restrictions Table 22: Miscellaneous Commands Executable on Specific Switches (Continued) Command Primary FCS switch Backup FCS switch Non-FCS switch tsclockserver tsclockserver ipaddr wwn (display only—cannot modify WWNs in Secure Mode) Secure Fabric OS Version 1.0 User Guide...
Page 121: Removing Secure Fabric Os Capability
Removing Secure Fabric OS Capability Secure Fabric OS capability can be removed from a fabric by disabling Secure Mode and deactivating the Secure Fabric OS license keys on the individual switches. Removing Secure Fabric OS capability is not recommended unless absolutely required.
Page 122: Preparing The Fabric For Removal Of Secure Fabric Os Policies
Removing Secure Fabric OS Capability Preparing the Fabric for Removal of Secure Fabric OS Policies The following tasks are recommended to prepare the fabric before disabling Secure Mode: Note: This section provides general recommendations only. Review the current Secure Fabric OS policies and the devices and users affected by each policy.
Page 123: Disabling Secure Mode
Removing Secure Fabric OS Capability Disabling Secure Mode Secure Mode is enabled and disabled on a fabric-wide basis, and can be enabled and disabled as often as desired. However, all Secure Fabric OS policies, including the FCS policy, are deleted each time Secure Mode is disabled, and must be re-created the next time it is enabled.
Page 124 Removing Secure Fabric OS Capability Example: primaryfcs:admin> secmodedisable Warning!!! About to disable security. ARE YOU SURE (yes, y, no, n): [no] y Committing configuration...done. Removing Active FMPS... done Removing Defined FMPS... done Disconnecting current session. primaryfcs:admin> Secure Fabric OS Version 1.0 User Guide...
Page 125: Deactivating The Secure Fabric Os License On Each Switch
Removing Secure Fabric OS Capability Deactivating the Secure Fabric OS License on Each Switch Deactivating the Secure Fabric OS license is not required in order to disable Secure Fabric OS functionality. If the user installs and activates a feature licence and then removes the license, Note: the feature is not disabled until the next time the system is rebooted or a switch enable or switch disable is performed.
Page 126: Uninstalling Related Items From The Host
Removing Secure Fabric OS Capability Uninstalling Related Items from the Host The following items can optionally be removed from the host: PKICERT utility Sectelnet SSH client These items do not have to be uninstalled in order to disable Secure Fabric OS functionality.
Page 127 index sectransabort secure fabric OS (secure mode enabled) activating a license key secversionreset activating a policy zoning active policy set conventions API policy, about document audience text symbols authentication creating authorized reseller, HP Options policy policies, about commands miscellaneous defined policy set secfcsfailover digital certificates sechelp...
Page 128 Index adding members creating help, obtaining deleting a policy identifying members authorized reseller removing members storage array systems website viewing the database storage website policies, types of technical support API MAC website Front Panel MAC HTTP policy, about HTTP MAC Management Server MAC RSNMP installing...
Page 129 Index sectelnet, when available sectemppasswdreset upgraded switches sectemppasswdset sectransabort secure fabric OS commands (secure mode version stamp enabled) about secure mode enabled commands resetting secversionreset Serial Port policy, about SNMP policies websites about Carnegie Mellon software engineering RSNMP institute SNMP policies, types of WSNMP Fibre Channel Industry Association statistics HP home...

This manual is also suitable for:

Storageworks secure fabric os 1.0

HP StorageWorks MSA 2/8 - SAN Switch User Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HP StorageWorks MSA 2/8 - SAN Switch

Summary of Contents for HP StorageWorks MSA 2/8 - SAN Switch

This manual is also suitable for:

Table of Contents