128 Configuring advanced security features
configured to accept FCAP protocol in authentication. To use FCAP on both switches, PKI certificates have
to be installed.
NOTE: The fabric authentication feature is available in base Fabric OS. No license is required.
You can configure a switch with Fabric OS 5.3.0 or later to use DH-CHAP for device authentication. Use
the authUtil command to configure the authentication parameters used by the switch. When you
configure DH-CHAP authentication, you also must define a pair of shared secrets known to both switches
as a secret key pair. A secret key pair consists of a local secret and a peer secret. The local secret uniquely
identifies the local switch. The peer secret uniquely identifies the entity to which the local switch
authenticates. Every switch can share a secret key pair with any other switch or host in a fabric. Figure 4 on
page 128 illustrates how the secrets are configured.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. You can use the
command authUtil
–-set -a <fcap|dhchap> to set the authentication protocol, which can then be
verified using the command authUtil
–-show CLI.
NOTE: The standards-compliant DH-CHAP and FCAP authentication protocols are not compatible with
the SLAP protocol, which was the only protocol supported in earlier Fabric OS releases 4.2, 4.1, 3.1, and
2.6.x.
Fabric OS 6.2.0 switch-to-switch authentication implementation is fully backward compatible with 3.2.0,
4.2.0, 4.4.0, 5.0.0, 5.1.0, 5.2.0, and 5.3.0.
Use secAuthSecret to set a shared secret on the switch. When configured, the secret key pair is used
for authentication. Authentication occurs whenever there is a state change for the switch or port due to a
switch reboot, a switch or port disable and enable, or the activation of a policy.
Figure 4 DH-CHAP authentication
If you use DH-CHAP authentication, a secret key pair must be installed only in connected fabric elements.
However, as connections are changed, new secret key pairs must be installed between newly connected
elements. Alternatively, a secret key pair for all possible connections may be initially installed, enabling
links to be arbitrarily changed while still maintaining a valid secret key pair for any new connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This policy
is persistent across reboots, which means authentication will be initiated automatically on ports or switches
brought online if the policy is set to activate authentication. The AUTH policy is distributed using the
distribute command; automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second. The
switch may be configured to negotiate FCAP, DH-CHAP, or both.
The DH group is used in the DH-CHAP protocol only. The FCAP protocol exchanges the DH group
information, but does not use it.
Switch A
Switch B
Keydatabaseonswitch
Local secret A
Peer secret B
Keydatabaseonswitch
Local secret B
Peer secret A
To Next Page
Loading...
Need help?
General