144 Fabric OS Administrator’s Guide
53-1001763-02
Authentication policy for fabric elements
7

Authentication policy for fabric elements

By default, Fabric OS v6.2.0 and later use DH-CHAP or FCAP protocols for authentication. These
protocols use shared secrets and digital certificates, based on switch WWN and public key
infrastructure (PKI) technology, to authenticate switches. Authentication automatically defaults to
FCAP if both switches are configured to accept FCAP protocol in authentication. To use FCAP on
both switches, PKI certificates have to be installed.
NOTE
The fabric authentication feature is available in base Fabric OS. No license is required.
FCAP requires the exchange of certificates between two or more switches to authenticate to each
other before they form or join a fabric. By default, these certificates are issued by Brocade, and
therefore Brocade is the root CA for all of the issued certificates. You can change the default by
getting your certificates from a third-party vendor. You can use Brocade certificates between the
switches that are Fabric OS v6.4.0 and pre-v6.4.0. The certificates must be in PEM (Privacy
Enhanced Mail) encoded format for both root and peer certificates. The switch certificates issued
from the third-party vendors can be directly issued from the root CA or from an intermediate CA
authority.
You can configure a switch with Fabric OS v6.2.0 or later to use DH-CHAP for device authentication.
When you configure DH-CHAP authentication, you also must define a pair of shared secrets known
to both switches as a secret key pair. Figure 16 illustrates how the secrets are configured. A secret
key pair consists of a local secret and a peer secret. The local secret uniquely identifies the local
switch. The peer secret uniquely identifies the entity to which the local switch authenticates. Every
switch can share a secret key pair with any other switch or host in a fabric.
To use DH-CHAP authentication, a secret key pair has to be configured on both switches. For more
information on setting up secret key pairs, refer to “Setting a secret key pair” on page 149.
When configured, the secret key pair is used for authentication. Authentication occurs whenever
there is a state change for the switch or port. The state change can be due to a switch reboot, a
switch or port disable and enable, or the activation of a policy.
FIGURE 16 DH-CHAP authentication
If you use DH-CHAP authentication, then a secret key pair must be installed only in connected
fabric elements. However, as connections are changed, new secret key pairs must be installed
between newly connected elements. Alternatively, a secret key pair for all possible connections
may be initially installed, enabling links to be arbitrarily changed while still maintaining a valid
secret key pair for any new connection.

Switch A Switch B

Key database on switch

Local secret A

Peer secret B

Key database on switch

Local secret B

Peer secret A