Creating An Scc Policy; Authentication Policy For Fabric Elements - HP StoreFabric SN6500B Administrator's Manual

Creating an SCC policy

1. Connect to the switch and log in using an account with admin permissions, or an account with
2. Enter the secPolicyCreate "SCC_POLICY" command.
3. Save or activate the new policy by entering either the secPolicySave or the secPolicyActivate
Example of creating an SCC policy

Authentication policy for fabric elements

By default, Fabric OS v6.2.0 and later use Diffie Hellman - Challenge Handshake Authentication
Protocol) (DH-CHAP) or Fibre Channel Authentication Protocol (FCAP) for authentication. These
protocols use shared secrets and digital certificates, based on switch WWN and public key
infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to
FCAP if both switches are configured to accept FCAP protocol in authentication, unless ports are
configured for in-flight encryption, in which case authentication defaults to DH-CHAP if both
switches are configured to accept the DH-CHAP protocol in authentication. To use FCAP on both
switches, PKI certificates have to be installed.
NOTE
The fabric authentication feature is available in base Fabric OS. No license is required.
FCAP requires the exchange of certificates between two or more switches to authenticate to each
other before they form or join a fabric. Beginning with Fabric OS v7.0.0, these certificates are no
longer issued by Brocade, but by a third-party which is now the root CA for all of the issued
certificates. You can use Brocade and third-party certificates between switches that are Fabric OS
v6.4.0, but only Brocade-issued certificates (where Brocade is the root CA) for Fabric OS versions
earlier than v6.4.0. The certificates must be in PEM (Privacy Enhanced Mail) encoded format for
both root and peer certificates. The switch certificates issued from the third-party vendors can be
directly issued from the root CA or from an intermediate CA authority.
When you configure DH-CHAP authentication, you also must define a pair of shared secrets known
to both switches as a secret key pair.
key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local
switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every
switch can share a secret key pair with any other switch or host in a fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more
information on setting up secret key pairs, refer to
When configured, the secret key pair is used for authentication. Authentication occurs whenever
there is a state change for the switch or port. The state change can be due to a switch reboot, a
switch or port disable and enable, or the activation of a policy.
Fabric OS Administrator's Guide
53-1002745-02
OM permissions for the Security RBAC class of commands.
command.
If neither of these commands is entered, the changes are lost when the session is logged out.
For example, to create an SCC policy that allows switches that have domain IDs 2 and 4 to join
the fabric:
switch:admin> secpolicycreate "SCC_POLICY", "2;4"
SCC_POLICY has been created
switch:admin> secpolicysave

Authentication policy for fabric elements

Figure 13 illustrates how the secrets are configured. A secret
"Setting a secret key pair"
7
on page 214.
207