How it Works
HP
Loading...
S
Loading...
Loading...
StorageWorks MSA 2/8
Installation Manual
72 pgs1.61 Mb0
Quick Reference Manual
8 pgs286.88 Kb0
Reference Manual
982 pgs7.46 Mb0
Reference Manual
394 pgs3.52 Mb0
Switch Manual
250 pgs1.79 Mb0
User Manual
58 pgs711.99 Kb0
User Manual
92 pgs1.34 Mb0
User Manual
267 pgs3.63 Mb0
User Manual
61 pgs745.91 Kb0
User Manual
129 pgs1.43 Mb0
User Manual
86 pgs1.26 Mb0

HP StorageWorks MSA 2/8, StorageWorks Secure Fabric OS 1.0 User Manual

user guide
hp StorageWorks
secure fabric OS version 1.0
Product Version: 1.0
First Edition (June 2003)
Part Number: AA–RU57A–TE
This user guide outlines how to set up the Secure Fabric OS feature in an existing Storage Area Network (SAN). Topics discussed include activating the Secure Fabric OS license and creating Secure Fabric policies.
© Copyright 1999-2003 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company makes no warranty of any kind with regard to this material, including, but not limited to,
the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.
This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. The information contained in this document is subject to change without notice.
BROCADE, the Brocade B weave logo, Brocade: the Intelligent Platform for Networking Storage, SilkWorm, and SilkWorm Express, are trademarks or registered trademarks of Brocade Communications Systems, Inc. or its subsidiaries in the United States and/or in other countries.
Microsoft® and Windows® are U.S. registered trademarks of Microsoft Corporation. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The
information is provided “as is” without warranty of any kind and is subject to change without notice. The warranties for Hewlett-Packard Company products are set forth in the express limited warranty statements for such products. Nothing herein should be construed as constituting an additional warranty.
Printed in the U.S.A.
Secure Fabric OS Version 1.0 User Guide First Edition (June 2003) Part Number: AA–RU57A–TE
3Secure Fabric OS Version 1.0 User Guide
contents
Contents
About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Text Symbols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
HP Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
HP Storage Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
HP Authorized Reseller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1 Introducing Secure Fabric OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Security of Management Channels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Sectelnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Switch-to-Switch Authentication Using PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Fabric Configuration Server Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Fabric Management Policy Set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Available Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
2 Adding Secure Fabric OS to the Fabric. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Adding Secure Fabric OS to the Fabric . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Identifying the Current Version of Fabric OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x . . . . . . . . . 24
Customizing the Account Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Verifying or Activating the Secure Fabric OS and Zoning Licenses. . . . . . . . . . . . . . . . 25
Adding Secure Fabric OS to Switches that Require Upgrading. . . . . . . . . . . . . . . . . . . . . . . 27
Upgrading to a Compatible Version of Fabric OS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Contents
4 Secure Fabric OS Version 1.0 User Guide
Customizing the Account Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Verifying or Activating the Secure Fabric OS and Zoning Licenses. . . . . . . . . . . . . . . . 30
Installing the PKICERT Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Using the PKICERT Utility to Obtain the CSR File . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Obtaining the Digital Certificate File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Distributing Digital Certificates to the Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Verifying Installation of the Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Re-creating PKI Objects If Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Adding Secure Fabric OS to a Core Switch 2/64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Installing a Supported CLI Client on a Computer Workstation . . . . . . . . . . . . . . . . . . . . . . . 45
3 Creating Secure Fabric OS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47
Default Fabric and Switch Accessibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Enabling Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Modifying the FCS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Changing the Position of a Switch Within the FCS Policy . . . . . . . . . . . . . . . . . . . . . . . 55
Failing over the Primary FCS Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Creating Secure Fabric OS Policies Other Than the FCS Policy. . . . . . . . . . . . . . . . . . . . . . 58
Creating a MAC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Creating an SNMP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Telnet Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
HTTP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
API Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Management Server Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Serial Port Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Front Panel Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Creating an Options Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Creating a DCC Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Creating an SCC Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Managing Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Saving Changes to Secure Fabric OS Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Activating Changes to Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Adding a Member to an Existing Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Removing a Member from a Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Deleting a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Aborting All Uncommitted Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Aborting a Secure Fabric OS Transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Contents
5Secure Fabric OS Version 1.0 User Guide
4 Managing Secure Fabric OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Viewing Secure Fabric OS-Related Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Displaying General Secure Fabric OS Information About a Fabric . . . . . . . . . . . . . . . . 84
Viewing the Secure Fabric OS Policy Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Displaying Individual Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Displaying Status of Secure Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Displaying and Resetting Secure Fabric OS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Displaying Secure Fabric OS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Resetting Secure Fabric OS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Managing Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Modifying Passwords in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Modifying the FCS Switch Passwords or the Fabric-wide User Password. . . . . . . . 96
Modifying the Non-FCS Switch Admin Password . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Using Temporary Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Creating a Temporary Password for a Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Removing a Temporary Password from a Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Resetting the Version Number and Time Stamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Adding Switches and Merging Secure Fabrics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Frequently Asked Questions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Management Access. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Digital Certificates and PKI Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Merging Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Passwords. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
A Secure Fabric OS Commands and Secure Mode Restrictions . . . . . . . . . . . . . . . . . .113
Secure Fabric OS Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Command Restrictions in Secure Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Secure Fabric OS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Zoning Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Miscellaneous Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
B Removing Secure Fabric OS Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Preparing the Fabric for Removal of Secure Fabric OS Policies . . . . . . . . . . . . . . . . . . . . . 122
Disabling Secure Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Deactivating the Secure Fabric OS License on Each Switch . . . . . . . . . . . . . . . . . . . . . . . . 125
Uninstalling Related Items from the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Contents
6 Secure Fabric OS Version 1.0 User Guide
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Tables
1 Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2 FCS Policy States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3 Valid Methods for Specifying Policy Members. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4 Read and Write Behaviors of SNMP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
5 Telnet Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
6 HTTP Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
7 API Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8 Management Server Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
9 Serial Port Policy States. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
10 Front Panel Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
11 Options Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
12 DCC Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
13 SCC Policy States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
14 Secure Mode Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
15 Secure Fabric OS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
16 Login Account Behavior with Secure Mode Disabled and Enabled . . . . . . . . . . . . . . . . 95
17 Moving Switches Between Fabrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
18 Recovery Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
19 Secure Fabric OS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
20 Secure Fabric OS Commands Executable on Specific Switches
When Secure Mode Is Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
21 Zoning Commands Executable on the Primary FCS Switch . . . . . . . . . . . . . . . . . . . . . 118
22 Miscellaneous Commands Executable on Specific Switches . . . . . . . . . . . . . . . . . . . . 119
7Secure Fabric OS Version 1.0 User Guide
about this
guide
About this Guide
About this Guide
This user guide provides information to help you:
Create policies to customize fabric management access.
Specify specific switches and devices.
Manage the fabric-wide Secure Fabric OS parameters through a single switch.
Enable and disable Secure Fabric OS as desired.
Contact technical support for additional assistance.
“About this Guide” topics include:
Overview, page 8
Conventions, page 9
Getting Help, page 11
About this Guide
8 Secure Fabric OS Version 1.0 User Guide
Overview
This section covers the following topics:
Intended Audience
Related Documentation
Intended Audience
This book is intended for use by System Administrators who are experienced with the following:
HP StorageWorks Fibre Channel SAN Switches.
HP StorageWorks Fabric OS v3.1.x or later.
Related Documentation
For a list of related documents included with this product, see the “Related Documents” section of the Release Notes that came with this product.
For the latest information, documentation, and firmware releases, please visit the following HP StorageWorks website:
http://www.hp.com/country/us/eng /
prodserv/storage.html
For information about Fibre Channel standards, visit the Fibre Channel Industry Association website, located at:
http://www.fibrechannel.org
.
About this Guide
Secure Fabric OS Version 1.0 User Guide
9
Conventions
Conventions consist of the following:
Document Conventions
Text Symbols
Document Conventions
The document conventions included in Table 1 apply in most cases.
Text Symbols
The following symbols may be found in the text of this guide. They have the following meanings.
WARNING: Text set off in this manner indicates that failure to follow
directions in the warning could result in bodily harm or death.
Caution: Text set off in this manner indicates that failure to follow directions
could result in damage to equipment or data.
Table 1: Document Conventions
Element Convention
Cross-reference links Blue text: Figure 1 Key and field names, menu items,
buttons, and dialog box titles
Bold
File names, application names, and text emphasis
Italics
User input, command and directory names, and system responses (output and messages)
Monospace font COMMAND NAMES are uppercase
monospace font unless they are
case-sensitive Variables <monospace, italic font> Website addresses Blue, underlined sans serif font text:
http://www.hp.com
About this Guide
10 Secure Fabric OS Version 1.0 User Guide
Note: Text set off in this manner presents commentary, sidelights, or interesting points
of information.
About this Guide
Secure Fabric OS Version 1.0 User Guide
11
Getting Help
If you still have a question after reading this guide, contact an HP authorized service provider or access our website:
http://www .hp.com
.
HP Technical Support
Telephone numbers for worldwide technical support are listed on the following HP website:
http://www .hp.com/support/
. From this website, select the country
of origin.
Note: For continuous quality improvement, calls may be recorded or monitored.
Be sure to have the following information available before calling:
Technical support registration number (if applicable)
Product serial numbers
Product model names and numbers
Applicable error messages
Operating system type and revision level
Detailed, specific questions
HP Storage Website
The HP website has the latest information on this product, as well as the latest drivers. Access storage at:
http://www.hp.com/country/us/eng/prodserv/
storage .html
. From this website, select the appropriate product or solution.
HP Authorized Reseller
For the name of your nearest HP authorized reseller:
In the United States, call 1-800-345-1518.
In Canada, call 1-800-263-5868.
Elsewhere, see the HP website for locations and telephone numbers:
http://www.hp .com
.
About this Guide
12 Secure Fabric OS Version 1.0 User Guide
13Secure Fabric OS Version 1.0 User Guide
1
Introducing Secure Fabric OS
Secure Fabric OS is an optionally licensed product that provides customizable security restrictions through local and remote management channels on an HP StorageWorks fabric. Secure Fabric OS allows the administrator to:
Create policies to customize fabric management access and to specify which
switches and devices can join the fabric
View statistics related to attempted policy violations
Manage the fabric-wide Secure Fabric OS parameters through a single switch
Create temporary passwords specific to a login account and switch
Enable and disable Secure Fabric OS
Secure Fabric OS uses digital certificates based on public key infrastructure (PKI) to provide switch-to-switch authentication.
This chapter provides the following information:
Security of Management Channels, page 14
Switch-to-Switch Authentication Using PKI, page 16
Fabric Configuration Server Switches, page 17
Fabric Management Policy Set, page 19
Introducing Secure Fabric OS
14 Secure Fabric OS Version 1.0 User Guide
Security of Management Channels
You can use Secure Fabric OS to increase the security of the local and remote management channels, including Fabric Manager, Web Tools, standard SNMP applications, Management Server, and a supported command line interface (CLI) client such as sectelnet.
You can specify the access allowed through a channel by customizing the Secure Fabric OS policy for that channel. Secure Fabric OS policies are available for telnet (includes sectelnet and Secure Shell), SNMP, Management Server, HTTP, and Application Programing Interface (API). Fabric Manager and Web Tools both use HTTP and API to access the switch.
Once a digital certificate is installed on the switch, Fabric OS v2.6.1, v3.1.x, and v4.1.x all encrypt sectelnet, API, and HTTP passwords automatically, regardless of whether Secure Fabric OS is enabled.
Note: The “Telnet” button in Web Tools can be used to launch telnet only (not sectelnet
or Secure Shell), and is disabled when Secure Mode is enabled.
Secure Shell
Fabric OS v4.1.x supports Secure Shell (SSH), which is a fully encrypted protocol for CLI. Use of SSH requires installation of a SSH client on the host computer. It does not require a digital certificate on the switch.
SSH access is configurable by the Telnet policy that is available through Secure Fabric OS. However, Fabric OS v4.1.x supports SSH whether or not Secure Fabric OS is licensed.
If you want to restrict CLI access over the network to SSH, disable telnet as described under “Telnet” on page 15.
SSH clients are available in the public domain, and can be located by searching on the Internet. Any client that supports Version 2 of the protocol is supported, such as PuTTy or F-Secure.
Fabric OS v4.1.x also supports the following ciphers for session encryption and Hash Message Authentication Codes (HMACs)—a hash function based message authentication code:
Ciphers: AES128-CBC, 3DES-CBC, Blowfish-CBC, Cast128-CBC, and RC4
HMACs: HMAC-MD5, HMAC-SHA1, HMAC-SHA1-96, HMACMD5-96.
Introducing Secure Fabric OS
15Secure Fabric OS Version 1.0 User Guide
Note: The first time a SSH client is launched, a message displays indicating that the
server’s host key is not cached in the registry.
For more information about SSH, refer to the HP StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide.
Sectelnet
Sectelnet is a secure form of telnet that encrypts passwords only. It is available in the public domain and through HP. Fabric OS v4.1.x includes the sectelnet server; and you must install the client on the host computer.
Sectelnet can be used as soon as a digital certificate is installed on the switch. Sectelnet access is configurable by the Telnet policy.
Telnet
Standard telnet is not available when Secure Mode is enabled. If you want to remove all telnet access to the fabric, you can disable telnet through
the telnetd option of the configure command. You do not have to disable the switch in order to select this option. For more information about the
configure command, refer to the HP StorageWorks Fabric OS Version
3.1.x/4.1.x Reference Guide.
Introducing Secure Fabric OS
16 Secure Fabric OS Version 1.0 User Guide
Switch-to-Switch Authentication Using PKI
Secure Fabric OS uses digital certificates based on PKI and switch World Wide Names (WWNs) to identify the authorized switches and prevent the addition of unauthorized switches to the fabric. A PKI Certificate Installation utility (PKICERT) is provided for generating Certificate Signing Requests (CSRs) and installing digital certificates on switches. For information about how to use the PKICERT utility, see “Adding Secure Fabric OS to the Fabric” on page 22.
Introducing Secure Fabric OS
17Secure Fabric OS Version 1.0 User Guide
Fabric Configuration Server Switches
Fabric Configuration Server (FCS) switches are one or more switches that you specify as trusted switches (switches that are in a physically secure area) for use in managing Secure Fabric OS. These switches should be both electronically and physically secure. You can specify a Primary FCS switch and one or more Backup FCS switches, to provide failover ability in case the Primary FCS switch fails.
You specify the FCS switches by listing their WWNs in a specific policy called the FCS policy. The first switch that is listed in this policy and is participating in the fabric acts as the Primary FCS switch, and distributes the following information to the other switches in the fabric:
Zoning configuration
Secure Fabric OS policies
Fabric password database
SNMP community strings
System date and time
Note: The role of the FCS switch is separate from the role of the principal switch, which
assigns Domain IDs. The role of the principle switch is not affected by whether Secure Mode is enabled.
When Secure Mode is enabled, only the Primary FCS switch can propagate management changes to the fabric. When a new switch joins the fabric, the Primary FCS switch verifies the digital certificate and then provides the current configuration, overwriting the existing configuration of the new switch.
Because the Primary FCS distributes the zoning configuration, zoning databases do not merge when new switches join the fabric. Instead, the zoning information on the new switches is overwritten when the Primary FCS downloads zoning to these switches, if Secure Mode is enabled on all the switches. For more information about merging fabrics, see “Adding Switches and Merging Secure
Fabrics” on page 101.
The remaining switches listed in the FCS policy act as Backup FCS switches. If the Primary FCS switch becomes unavailable for any reason, the next switch in the list becomes the Primary FCS switch. A minimum of one Backup FCS switch is strongly recommended to reduce the possibility of having no Primary FCS
Introducing Secure Fabric OS
18 Secure Fabric OS Version 1.0 User Guide
switch available. You can designate a single Primary FCS switch and as many Backup FCS switches as desired; however, all FCS switches should be physically secure.
Any switches not listed in the FCS policy are defined as Non-FCS switches. Root and Factory accounts are disabled on Non-FCS switches.
For information about customizing the FCS policy and configuration download restrictions while in Secure Mode, see “Enabling Secure Mode” on page 49.
Introducing Secure Fabric OS
19Secure Fabric OS Version 1.0 User Guide
Fabric Management Policy Set
Secure Fabric OS supports the creation of a number of specific policies that you can use to customize specific aspects of the fabric. Each supported policy is recognized by a specific name. By default, only the FCS policy exists when Secure Mode is first enabled.
You can create, display, modify, and delete the Secure Fabric OS policies. You can also create and save a policy without activating it immediately, to allow implementation at a future time. Once you save policy changes, the new policies are persistent, meaning that they are saved in flash memory and remain available after switch reboot or power cycle.
The group of existing policies is referred to as the Fabric Management Policy Set (FMPS), which includes an Active Policy Set and a Defined Policy Set. The Active Policy Set contains the policies that are activated and currently in effect. The Defined Policy Set contains all the policies that have been defined, whether activated or not. Both policy sets are distributed to all switches in the fabric by the Primary FCS switch.
You can create and manage the Secure Fabric OS policies by CLI or Fabric Manager.
Available Secure Fabric OS Policies
You can use Secure Fabric OS to create the following supported Secure Fabric OS policies:
Fabric Configuration Server (FCS) policy: This policy specifies the Primary
FCS and Backup FCS switches.
Management Access Control (MAC) policies: These policies restrict
management access to switches. The following specific MAC policies are provided:
— Read and Write SNMP policies: Restrict which SNMP hosts are allowed
read and write access to the fabric.
— Telnet policy: Restricts the workstations that can use sectelnet or SSH to
connect to the fabric (telnet is not available when Secure Fabric OS is enabled).
— HTTP policy: Restricts the workstations that can use HTTP to access the
fabric.
— API policy: Restricts the workstations that can use API to access the
fabric.
Introducing Secure Fabric OS
20 Secure Fabric OS Version 1.0 User Guide
— Management Server policy: Restricts management server access to
specified devices. — Serial Port policy: Restricts serial port access to specified switches. — Front Panel policy: Restricts front panel access to switches that are
physically secure.
Options policy: You can use this policy to specify the types of WWNs that can
be used for zoning.
Device Connection Control (DCC) policies: You can use this policy to
manage which Fibre Channel device ports are allowed to connect to which Fibre Channel switch ports.
Switch Connection Control (SCC) policy: You can use this policy to manage
which switches can join the fabric.
21Secure Fabric OS Version 1.0 User Guide
2
Adding Secure Fabric OS to the Fabric
Secure Fabric OS is supported by Fabric OS v2.6.1, v3.1.x, and v4.1.x, and can be added to fabrics that contain any combination of these versions. The procedure for adding Secure Fabric OS to a switch depends on whether the switch is shipped with one of these versions installed or requires upgrading.
The following switches can be upgraded for use with Secure Fabric OS:
StorageWorks 1 Gb SAN switches running Fabric OS v2.3+ to v2.6.1
StorageWorks 2 Gb SAN switches running Fabric OS v3.0+ to v3.1.x
Core Switch 2/64 or SAN Switch 2/32 switches running Fabric OS v4.0+ to
v4.1.x
This chapter provides the following information:
Adding Secure Fabric OS to the Fabric, page 22
Identifying the Current Version of Fabric OS, page 23
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or
v4.1.x, page 24
Adding Secure Fabric OS to Switches that Require Upgrading, page 27
Adding Secure Fabric OS to a Core Switch 2/64, page 41
Installing a Supported CLI Client on a Computer Workstation, page 45
Adding Secure Fabric OS to the Fabric
22 Secure Fabric OS Version 1.0 User Guide
Adding Secure Fabric OS to the Fabric
To implement Secure Fabric OS in a fabric, each switch in the fabric must have the following:
A compatible version of Fabric OS
An activated Secure Fabric OS security license
An activated Zoning license (zoning is essential to Secure Fabric OS
mechanisms)
The required PKI objects
A digital certificate
The following steps are required to set up a fabric for use with Secure Fabric OS:
Identify the versions of Fabric OS currently installed on each switch and
determine which switches require upgrading to support Secure Fabric OS. Instructions are provided under “Identifying the Current Version of
Fabric OS” on page 23.
For each switch that was shipped with Fabric OS v3.1.x or v4.1.x installed,
follow the instructions provided under “Adding Secure Fabric OS to Switches
Shipped with Fabric OS v3.1.x or v4.1.x” on page 24.
For each switch that must be upgraded for use with Secure Fabric OS, follow
the instructions provided under “Adding Secure Fabric OS to Switches that
Require Upgrading” on page 27.
For the HP StorageWorks Core Switch 2/64 with any version of Fabric OS
v4.x, follow the instructions provided under “Adding Secure Fabric OS to a
Core Switch 2/64” on page 41.
Install a supported CLI client on each computer workstation that you intend to
use to access the fabric. Instructions are provided under “Installing a
Supported CLI Client on a Computer Workstation” on page 45.
Note: If one or more switches are not capable of enforcing the Secure Fabric OS
policies, they may segment from the fabric.
Adding Secure Fabric OS to the Fabric
23Secure Fabric OS Version 1.0 User Guide
Identifying the Current Version of Fabric OS
Before continuing, identify the version of Fabric OS on each switch in the fabric and determine which switches must be upgraded. To upgrade a switch, see “Upgrading to a Compatible Version of Fabric OS” on page 28.
To identify the current version of Fabric OS installed on each switch in the fabric:
1. Open a CLI connection (serial or telnet) to one of the switches in the fabric.
2. Log into the switch as Admin. The default password is password.
3. Enter the version command. Example for entering the version command on an HP StorageWorks 2 Gb
SAN switch:
4. Repeat step 1 through step 3 for each switch in the fabric.
switch:admin> version Kernel: 2.4.2 Fabric OS: v4.1.x Made on: Fri Jan 3 23:02:08 2003 Flash: Jan 3 18:03:35 2003 BootProm: 4.1.17 switch:admin>
Adding Secure Fabric OS to the Fabric
24 Secure Fabric OS Version 1.0 User Guide
Adding Secure Fabric OS to Switches Shipped with Fabric OS v3.1.x or v4.1.x
This section applies to the following switches:
StorageWorks SAN Switch 2/8 EL or StorageWorks SAN Switch 2/16
shipped with Fabric OS v3.1.x
StorageWorks SAN Switch 2/32 shipped with Fabric OS v4.1.x
All switches that are shipped with Fabric OS v3.1.x or v4.1.x installed already have the required PKI objects and a digital certificate.
To set up Secure Fabric OS on a switch shipped with Fabric OS v3.1.x or v4.1.x:
1. Change the account passwords from default values as described in “Customizing the Account Passwords” on page 24.
2. If switches running Fabric OS v3.1.x will be in the same fabric as switches running Fabric OS v4.1.x, set the Core processor ID (PID) on the v3.1.x switches accordingly. Refer to the HP StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide for instructions.
3. Ensure that the switch has an activated Secure Fabric OS and Zoning Software License as described in “Verifying or Activating the Secure Fabric OS and
Zoning Licenses” on page 25.
Customizing the Account Passwords
You are prompted to customize the account passwords at the first login. Changing the passwords immediately is recommended. Until you change the passwords from the default values, you are prompted to change them each time you log in, and the passwd command remains disabled.
Note: In addition to customizing the passwords for the User, Admin, Factory, and Root
accounts, setting both the Boot PROM and Recovery passwords is strongly recommended. For instructions on setting these passwords, refer to the
HP
StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide
.
Adding Secure Fabric OS to the Fabric
25Secure Fabric OS Version 1.0 User Guide
To log in and change the passwords:
1. Open a CLI connection (serial or telnet) to the switch.
2. Log into the switch as Admin. The default password is password. The firmware prompts you to change all passwords.
3. Change all the passwords to secure passwords, using between 8 and 40 alphanumeric characters for each password, with a different password for each account.
The new passwords must be different from the default values.
Note: Record the passwords and store in a secure place. Recovering passwords can
require significant effort and result in fabric downtime.
Verifying or Activating the Secure Fabric OS and Zoning Licenses
The Secure Fabric OS and Zoning features are included in the Fabric OS and can be activated by entering a corresponding license key, available from HP. You must activate the licenses on each switch for which you want to implement Secure Fabric OS.
You can activate a license through the CLI or through Web Tools. This section provides CLI instructions only. For instructions on activating a license through Web Tools, refer to the HP StorageWorks Web Tools Version 3.1.x/4.1.x User Guide.
To verify or activate a software license through the CLI:
1. Open a CLI connection (serial or telnet) to the switch.
2. Log into the switch as Admin. The default password is password.
3. Enter the licenseshow command to determine whether the license is already activated.
A list of all the activated licenses displays. The Secure Fabric OS license displays as Security license.
Adding Secure Fabric OS to the Fabric
26 Secure Fabric OS Version 1.0 User Guide
Example:
4. If the Secure Fabric OS and Zoning licenses are already listed, the features are already available and you do not need to complete the remaining steps. If either license is not listed, continue with step 5.
5. Contact HP to purchase the required license key.
6. Once you receive the key, enter the following:
licenseadd “key”
Where key is the license key string exactly as provided by HP, and is case sensitive. It can be copied from the e-mail in which it was provided directly into the CLI.
Example:
7. Enter the licenseshow command to verify that the license was successfully activated.
If the license is listed, the feature is immediately available (the Secure Fabric OS license displays as Security license).
switch:admin> licenseshow 1A1AaAaaaAAAA1a: Web license Zoning license Trunking license Security license switch:admin>
switch:admin> licenseadd “aAaaaaAaAaAaAaA” adding license key “aAaaaaAaAaAaAaA” done. switch:admin>
Adding Secure Fabric OS to the Fabric
27Secure Fabric OS Version 1.0 User Guide
Adding Secure Fabric OS to Switches that Require Upgrading
This section applies to the following switches:
HP StorageWorks switches running Fabric OS v2.6.1
HP StorageWorks switches running a Fabric OS previous to v3.1.x
HP StorageWorks switches running a Fabric OS previous to v4.1.x
To set up the Secure Fabric OS on a switch that was shipped without Fabric OS v3.1.x or v4.1.x preinstalled:
1. If switches running Fabric OS v2.6.1 or v3.1.x will be in same fabric as switches running Fabric OS v4.1.x, set the Core PID on the v2.6.1 and v3.1.x switches accordingly. Refer to the HP StorageWorks Fabric Operating System Procedures Version 3.1.x/4.1.x User Guide for instructions.
2. Back up the configuration and upgrade the switch to Fabric OS v2.6.1, v3.1.x, or v4.1.x, as appropriate to the switch, as described in “Upgrading to a
Compatible Version of Fabric OS” on page 28.
3. Change the account passwords from the default values, as described in “Customizing the Account Passwords” on page 29.
4. The remaining steps are determined by whether Secure Fabric OS was already in use on the switch.
— If Secure Fabric OS was already in use on the switch, the upgrade is
complete. You can verify the existing policy set by entering the secpolicyshow command.
— If Secure Fabric OS was not already in use on the switch, continue with
step 5.
5. Verify or activate the Secure Fabric OS and Zoning licenses, as described in “Verifying or Activating the Secure Fabric OS and Zoning Licenses” on page 30.
6. Download and install the PKICERT utility on the computer workstation, as described in “Installing the PKICERT Utility” on page 30.
7. Create a file containing the CSRs from all the switches that require certificates, as described in “Using the PKICERT Utility to Obtain the CSR
File” on page 31.
8. Obtain digital certificates from HP, as described in “Obtaining the Digital
Certificate File” on page 34.
Adding Secure Fabric OS to the Fabric
28 Secure Fabric OS Version 1.0 User Guide
9. Distribute the certificates to the switches, as described in “Distributing Digital
Certificates to the Switches” on page 35.
10. Verify that digital certificates are installed on all the switches, as described in “Verifying Installation of the Digital Certificates” on page 38.
Upgrading to a Compatible Version of Fabric OS
Secure Fabric OS is supported by Fabric OS v2.6.1, v3.1.x, and v4.1.x, and can be implemented in fabrics that contain any combination of these versions.
You can upgrade the following switches for use with Secure Fabric OS:
HP StorageWorks switches running Fabric OS v2.6+ to v2.6.1
HP StorageWorks switches running Fabric OS v3.0+ to v3.1.x
HP StorageWorks switches running Fabric OS v4.0+ to v4.1.x
Note: Switches running Fabric OS v2.6.1 or v3.1.x must have the Core PID set to “1”
in order to join a fabric with switches running Fabric OS v4.1.x. For information on setting the Core PID, refer to the
HP StorageWorks Fabric Operating System Procedures
Version 3.1.x/4.1.x User Guide
.
If Secure Fabric OS is already implemented on a switch that is being upgraded, you can upgrade while the switch is in Secure Mode.
To install the required versions of Fabric OS on each switch in the fabric:
1. Obtain the required firmware from the switch provider, according to the type of switch.
2. Open a CLI connection (serial or telnet) to one of the switches in the fabric.
3. Back up the configuration by entering the configupload command and completing the prompts.
This also backs up the security policies, if Secure Fabric OS was already in use on the switch.
4. Log into the switch as Admin. The default password is password.
5. Download the firmware to the computer workstation or server.
Adding Secure Fabric OS to the Fabric
29Secure Fabric OS Version 1.0 User Guide
6. Download the required firmware from the computer to the switch. The download process depends on the type of switch and management interface. Refer to the HP StorageWorks Fabric Operating System Procedures Version
3.1.x/4.1.x User Guide for download instructions specific to the type of switch and management interface.
Note: If Secure Mode is already enabled on the switch, you can leave it enabled
during the download, which preserves the security policies. For information about merging fabrics that have Secure Mode enabled, see “Adding
Switches and Merging Secure Fabrics” on page 101.
7. Reboot the switch.
Note: The PKI objects that are required by Secure Fabric OS are created automatically
the first time the switch is booted up.
8. Repeat this procedure for each switch in the fabric.
Customizing the Account Passwords
After installing a new version of Fabric OS, you are prompted to customize the account passwords at the first login. Until you change the passwords from the default values, you are prompted to change them each time you log in, and the passwd command remains disabled.
Note: In addition to customizing the passwords for the User, Admin, Factory, and Root
accounts, setting the Boot PROM and Recovery passwords is strongly recommended for Fabric OS v4.1.x (does not apply to v2.6.1 or v3.1.x). For instructions on setting these passwords, refer to the
HP StorageWorks Fabric Operating System Procedures Version
3.1.x/4.1.x User Guide
.
To log in and change the passwords:
1. Open a CLI connection (serial or telnet) to the switch.
2. Log into the switch as Admin. The default password is password. The firmware prompts you to change all passwords.
Adding Secure Fabric OS to the Fabric
30 Secure Fabric OS Version 1.0 User Guide
3. Change all the passwords to secure passwords, using between 8 and 40 alphanumeric characters for each password, with a different password for each account.
The new passwords must be different from the default values.
Note: Record the passwords and store in a secure place. Recovering passwords can
require significant effort and result in fabric downtime.
Verifying or Activating the Secure Fabric OS and Zoning Licenses
See the instructions provided under “Verifying or Activating the Secure Fabric OS
and Zoning Licenses” on page 25.
Installing the PKICERT Utility
The PKI Certificate Installation utility (named PKICERT Utility) is provided by HP and is used to generate CSRs and install digital certificates on switches. The utility must be installed on a computer workstation.
To install the PKICERT utility on a Sun Solaris workstation, follow the instructions provided in the PKICERT utility ReadMe file.
To install the PKICERT utility on a PC:
1. Obtain the PKICERT utility from HP.
2. Open the utility zip file and click Extract.
3. Specify the desired installation location. The default location is c:\security.
The utility is installed to a subdirectory named nt_pki. For example, c:\security\nt_pki.
4. Review the ReadMe file for current information about the utility.
Loading...
+ 99 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use