HP StorageWorks XPath OS 7.4.X Administrator Guide (AA-RVHDD-TE, February 2006)

ManualsBrandsHP ManualsStorageHP StorageWorks Multiprotocol Base 8-port Router

54 Using the FC-FC Routing Service

XPath OS and Secure Fabric OS

Beginning with XPath OS 7.4.x, the MP Router supports routing between secure fabric employing HP

Secure Fabric OS with non-secured fabrics through Challenge-Handshake Authentication Protocol

(DH-CHAP). Secure Fabric OS is an optional, licensed product that provides customizable security

restrictions through local and remote management channels on an HP StorageWorks fabric.

Secure Fabric OS uses digital certificates based on PKI or Diffie-Hellman with DH-CHAP shared secrets to

provide switch-to-switch authentication.

For details about Secure Fabric OS, see the HP StorageWorks Secure Fabric OS administrator guide.

To determine that an EX_Port is connected to a Secure Fabric OS fabric, issue the portShow or

portCfgExPort command, as described in the HP StorageWorks XPath OS 7.4.x command reference

guide.

Configuring a secure XPath OS DH-CHAP secret

While Secure Fabric OS supports the SLAP, FCAP, and DH-CHAP authentication protocols to communicate

with each switch, XPath OS 7.4.x supports only DH-CHAP.

The MP Router does not initiate DH-CHAP authentication requests; it responds to DH-CHAP requests only

from the edge switch to which it is connected—in this case, the Secure Fabric OS switch.

DH-CHAP is set on the Fabric OS side of the configuration, rather than the XPath OS side. As soon as you

connect the MP Router to a Secure Fabric OS switch, DH-CHAP authentication is initiated.

The DH-CHAP secrets are configured both on the Secure Fabric OS switch and the MP Router. Each entry

specifies the WWN of the peer to which it is connected. For example, on the MP Router, specify the

WWN of the Secure Fabric OS switch and the secrets. On the Secure Fabric OS switch, specify the WWN

of the front domain (EX_Port) and the secrets.

If a Switch Connection Controls (SCC) policy is defined, the WWN of the front domain (EX_Port) that is

connected to the Secure Fabric OS switch should be present in the SCC list. See the HP StorageWorks

Secure Fabric OS user guide for details about the SCC and other Secure Fabric OS features.

Configuring a DH-CHAP secret word on the MP Router

When configuring the DH-CHAP secret on the MP Router, you must know the WWN for the Fabric OS

switch to set as the peer entry. To find out the WWN of this switch, log in to the switch as admin and issue

the switchShow command. For example:

switch:admin> switchshow

switchName: fcr_mojo_14

switchType: 16.2

switchState: Online

switchMode: Native

switchRole: Principal

switchDomain: 99

switchId: fffc63

switchWwn: 10:00:00:60:69:80:05:14

switchBeacon: OFF

Zoning: ON (cfg1)

port 0: id N2 No_Light

port 1: -- N2 No_Module

port 2: -- N2 No_Module

port 3: -- N2 No_Module

port 4: -- N2 No_Module

port 5: id N2 No_Light

port 6: -- N2 No_Module

port 7: -- N2 No_Module

value = 8 = 0x8

switch:admin>