Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)
134 Fabric OS Administrator’s Guide
53-1001336-02
Authentication policy for fabric elements
7
Authentication policy for fabric elements
By default, Fabric OS v6.1.0 and later use DH-CHAP or FCAP protocols for authentication. These
protocols use shared secrets and digital certificates, based on switch WWN and public key
infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to
FCAP if both switches are configured to accept FCAP protocol in authentication. To use FCAP on
both switches, PKI certificates have to be installed.
NOTE
The fabric authentication feature is available in base Fabric OS. No license is required.
You can configure a switch with Fabric OS v6.1.0or later to use DH-CHAP for device authentication.
When you configure DH-CHAP authentication, you also must define a pair of shared secrets known
to both switches as a secret key pair. Figure 11 illustrates how the secrets are configured. A secret
key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local
switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every
switch can share a secret key pair with any other switch or host in a fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more
information on setting up secret key pairs, refer to “Setting a secret key pair” on page 139.
When configured, the secret key pair is used for authentication. Authentication occurs whenever
there is a state change for the switch or port. The state change can be due to a switch reboot, a
switch or port disable and enable, or the activation of a policy.
FIGURE 11 DH-CHAP authentication
If you use DH-CHAP authentication, then a secret key pair must be installed only in connected
fabric elements. However, as connections are changed, new secret key pairs must be installed
between newly connected elements. Alternatively, a secret key pair for all possible connections
may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid
secret key pair for any new connection.
The switch authentication (AUTH) policy initiates DH-CHAP/FCAP authentication on all E_Ports. This
policy is persistent across reboots, which means authentication will be initiated automatically on
ports or switches brought online if the policy is set to activate authentication. The AUTH policy is
distributed by command; automatic distribution of the AUTH policy is not supported.
The default configuration directs the switch to attempt FCAP authentication first, DH-CHAP second.
The switch may be configured to negotiate FCAP, DH-CHAP, or both.
Switch A
Switch B
Keydatabaseonswitch
Local secret A
Peer secret B
Keydatabaseonswitch
Local secret B
Peer secret A