Securing a Fabric, Connection Security | Q-Logic 5600 specs

A

3 – Managing Fabrics Securing a Fabric

3.2

Securing a Fabric

Fabric security consists of the following:

Connection Security

User Account Security

Security Consistency Checklist

Device Security

Fabric Services

3.2.1

Connection Security

Connection security provides an encrypted data path for switch management methods. The switch supports the Secure Shell (SSH) protocol for the command line interface and the Secure Socket Layer (SSL) protocol for management applications such as SANsurfer Switch Manager and Common Information Module (CIM).

The SSL handshake process between the workstation and the switch involves the exchanging of certificates. These certificates contain the public and private keys that define the encryption. The switch certificate is valid for one year beginning with its creation date and time. The workstation validates the switch certificate by comparing the workstation date and time to the switch certificate creation date and time. For this reason, it is important to snychronize the workstation and switch with the same date, time, and time zone. If a certificate has not been created by the user, the switch will automatically create one.

Consider your requirements for connection security: for the command line interface (SSH), management applications such as SANsurfer Switch Manager (SSL), or both. If SSL connection security is required, also consider using the Network Time Protocol (NTP) to synchronize workstations and switches.

59097-02 B

3-7

Image 53

Q-Logic 5600 manual Securing a Fabric, Connection Security, Fabric security consists of the following

Contents

SANbox 5600 Series Switch Managment User’s Guide Document Revision History SANbox 5600 Series Switch Management User’s Guide Table of Contents Section Managing Fabrics SANbox 5600 Series Switch Management User’s Guide Section Managing Switches SANbox 5600 Series Switch Management User’s Guide Section Managing Ports Appendix a Command Line Interface Glossary Index List of Figures List of Tables SANbox 5600 Series Switch Management User’s Guide Jdom License Intended AudienceRelated Materials Introduction Jdom License Training Technical SupportAvailability Support Headquarters Contact Information Using SANsurfer Switch Manager Workstation Requirements Installing the Management ApplicationWorkstation Requirements SANsurfer Switch Manager SANsurfer Management Suite SMS Installation for Windows Chglax.bat SMS Installation for Linux SMS Installation for Solaris Locate and execute the file sbmoversms.sh Install the new SANsurfer Switch Manager packageChange directories to the package location ‰ For Linux or Solaris enter the SANsurfer command Starting SANsurfer Switch Manager Initial Startup Dialog SANsurfer Switch Manager Window Save Default Fabric View File Dialog Exiting SANsurfer Switch Manager Load Default Fabric File Dialog Uninstalling SANsurfer Switch Manager Standalone Uninstall SMS Uninstall Saving and Opening Fabric View Files Changing the Encryption Key for the Default Fabric View File Setting SANsurfer Switch Manager Preferences Viewing Software Version and Copyright Information Using Online Help Faceplate Display SANsurfer Switch Manager User Interface Topology Display Menu Menu Bars Shortcut Keys Faceplate Display Menu Tool Bar Buttons Tool Bar Fabric Tree Fabric Tree Data Window and Tabs Working Status IndicatorGraphic Window Switch and Link Status Using the Topology Display Arranging Switches in the Display Working with Switches and LinksSelecting Switches and Links Topology Data Windows Opening the Faceplate and Topology Display Popup Menus 11. Faceplate Display Using the Faceplate Display Selecting Ports Port Views and StatusWorking with Ports Faceplate Data Windows Opening the Faceplate Popup MenuPage Radius Servers Managing Fabrics Add Server Adding a Radius Server Managing Fabrics Radius Servers Remove Server Removing a Radius Server Edit Server Information Editing Radius Server Information Modify Authentication Order Radius Server Information Modifying Authentication Order Radius Server Information Fabric security consists of the following Securing a FabricConnection Security User Account Security Security Consistency Checklist Device Security Edit Security Dialog Edit Security Dialog Creating a Security Set Creating a Security Group Create Security Group Dialog Create a Security Group Member Dialog Create Security Group Member Dialog Managing Fabrics Securing a Fabric Creating a Security Group Member Editing the Security Configuration on a Switch Viewing Properties of a Security Set, Group, or Member Using the Security Config Dialog Deactivating a Security Set Archiving a Security Configuration to a FileActivating a Security Set Active Security Data Window Configured Security Data WindowFabric Services Click the In-band Management Enable button Enabling Snmp ConfigurationEnabling In-band Management Tracking Fabric Firmware and Software Versions Viewing and Comparing Version Snapshots Saving a Version Snapshot Fabric Version Snapshot Analysis Dialog Exporting Version Snapshots to a File Adding a Fabric Managing the Fabric Database Opening a Fabric View File Removing a Fabric Rediscovering a Fabric Deleting Switches and LinksSaving a Fabric View File Adding a New Switch to a Fabric Replacing a Failed Switch Displaying Fabric Information Fabric Status Topology Display Switch and Status Icons 11. Events Browser Displaying the Event Browser Editor or browser Discarded when you close a SANsurfer Switch Manager sessionSeverity Levels 12. Filter Events Dialog Filtering the Event Browser Saving the Event Browser to a File Sorting the Event Browser Devices Data Window Entries Devices Data Window 13. Active Zone Set Data Window Active Zone Set Data Window Displaying Detailed Device Information Link Data WindowWorking with Device Information and Nicknames Creating a Nickname Exporting Device Information to a FileManaging Device Port Nicknames Exporting Nicknames to a File Editing a NicknameDeleting a Nickname Zoning Concepts Importing a Nicknames FileZoning a Fabric Soft Zones Zones Zone Sets Access Control List Hard ZonesAliases Viewing Zoning Limits and Properties Zoning Database Using the Zoning Wizard Managing the zoning database consists of the following Managing the Zoning DatabaseEditing the Zoning Database Edit Zoning Dialog Tool Bar Buttons and Icons Edit Zoning Dialog Tool Bar Buttons and Icons Interop Auto Save Configuring the Zoning Database Discard Inactive Default VisibilitySaving the Zoning Database to a File Restoring the Zoning Database from a File Removing All Zoning Definitions Restoring the Default Zoning Database Creating a Zone Set Managing Zone Sets Removing a Zone from a Zone Set or from All Zone Sets Activating and Deactivating a Zone SetCopying a Zone to a Zone Set Managing zones involves the following Removing a Zone SetManaging Zones Creating a Zone in a Zone Set Adding Zone Members Removing a Zone Member Renaming a Zone or a Zone SetRemoving a Zone from a Zone Set Removing a Zone from All Zone Sets Creating an Alias Changing Zone TypesManaging Aliases Removing an Alias from All Zones Adding a Member to an Alias Zone Merge Failure Merging Fabrics and Zoning Zone Merge Failure Recovery Managing Fabrics Zoning a Fabric 59097-02 B Managing Switches Factory User Accounts Managing User Accounts Creating User Accounts User Account Administration Dialog Add Account Removing a User Account User Account Administration Dialog Remove Account User Account Administration Dialog Change Password Changing a User Account Password Modifying a User Account User Account Administration Dialog Modify Account Faceplate Display Switch Information Displaying Switch Information Switch Data Window Entries Switch Data Window Ratov Switch Data Window Entries Ing Detailed Device Information on page 3-36for infor Port Information Data Window Port Statistics Data Window Configured Zonesets Data Window Configured Zonesets Data Windows Port Threshold Alarm Configuration Dialog Configuring Port Threshold Alarms Port Threshold Alarm Example Paging a Switch Resetting a Switch Setting the Date/Time and Enabling NTP Client Type Description Switch Resets Using the Configuration Wizard Configuring a Switch Symbolic Name Switch Properties Switch Administrative States Switch Administrative States Domain ID and Domain ID Lock Fabric Device Management Interface In-band Management Broadcast Support 10. Advanced Switch Properties Dialog Advanced Switch Properties Legacy Port Address Format Interop Mode for Zoning Timeout Values Timeout Values 11. System Services Dialog System Services Dialog Security Consistency Checklist Dialog 12. Network Properties Dialog Network Properties IP Configuration Parameters IP Configuration NTP Client Remote Logging 13. Snmp Properties Dialog Snmp Properties Snmp Configuration Parameters Snmp Configuration Snmp Trap Configuration Parameters Snmp Trap Configuration 14. Switch Stacks Managing Switch Stacks 15. Syslog Dialog Syslog Select Source Dialog Archiving a Switch 16. Restore Dialogs Full and Selective Restoring a Switch Managing Switches Restoring a Switch Factory Default Configuration Settings Restoring the Factory Default Configuration Factory Default Configuration Settings Downloading a Support File Upgrading the Switch Using License Keys 17. Features License Key Dialog Installing Firmware 19. Hardware Status LEDs Displaying Hardware Status Managing Switches Displaying Hardware Status 59097-02 B Displaying Port Information Managing Ports Port Types Monitoring Port StatusDisplaying Port Types Displaying Port Speeds Displaying Port Operational StatesPort Operational States Port Speeds Port Transceiver Media View Displaying Transceiver Media Status Port Statistics Data Window Entries LIP ALPD,ALPS Port Statistics Data Window Entries Port Information Data Window Entries Port Information Data Window Entries Port Properties Dialog Configuring Ports Port Administrative States Changing Port Administrative States Changing Port Speeds Changing Port Types Device Scan Changing Port Symbolic NameStream Guard Using the Extended Credits Wizard Designate Donor Ports Resetting a Port Port Loopback Test Dialog Testing Ports Managing Ports Testing Ports Fabric View Graphs Graphing Port Performance Starting SANsurfer Performance Viewer This section describes how to do the following Exiting SANsurfer Performance Viewer Save Default Performance View File Dialog Saving and Opening Performance View Files Load Default View File Dialog Setting SANsurfer Performance Viewer Preferences Changing the Default Performance View File Encryption Key Displaying Graphs for a Switch Setting the Polling Frequency Arranging Graphs in the Display Displaying Graphs for a Stack Customizing Graphs Default Graph Options Dialog Managing Ports Graphing Port Performance Rescaling a Selected Graph Setting Global Graph TypePrinting Graphs Saving Graph Statistics to a File Logging On to a Switch Command Line Interface User Accounts Working with Switch Configurations Modifying a Configuration Backing up and Restoring Switch Configurations Ftp ipaddress userimages password images ftp bin Table A-1. Command-Line Completion Commands Admin Session Commands Table A-2. Commands Listed by Authority Level Authority Admin CommandSyntax Keywords Syntax alias Alias CommandKeywords add alias memberlist Copy aliassource aliasdestination List Delete aliasMembers alias Remove alias memberlist CIM Command Following is an example of the CIM Limits command Table A-3. CIM Listener Configuration Parameters CIMListener Command URL Edit listenername Table A-4. CIM Subscription Configuration Parameters CIMSubscription CommandSyntax cimsubscription Keywords create subscriptionname Edit subscriptionname Keywords activate configname Config CommandSyntax config Save configname Edit confignameRestore #ftp symbolicname or ipaddress user images Syntax create certificate support Create CommandKeywords certificate Support Local directory now /itasca/conf/images bin SANbox xxxx admin # create support Following is an example of the Create Certificate command Keywords MMDDhhmmCCYY Date CommandSyntax date Syntax feature Feature CommandKeywords add licensekey Log Syntax firmware install Firmware Install CommandAuthority Admin Syntax group Group Command Table A-5. ISL Group Member Attributes Keywords add group Table A-6. Port Group Member Attributes Table A-7. MS Group Member Attributes Configures security for attachments to other switchesCopy groupsource groupdestination Create group type Table A-8. Group Member Attributes Edit group member Remove group memberlist Members groupRename groupold groupnew Securitysets group ISL Following is an example of the Group Edit command Following is an example of the Group Members command Following is an example of the Group List command Syntax Hardreset Command Help command keyword Help CommandCommand Keyword History History CommandFollowing is an example of the History command Hotreset Hotreset Command Syntax image Image CommandKeywords cleanup Ftp Ftp switchname Wait for the unpack to complete Admin session Lip CommandFollowing is an example of the Lip command Lip portnumber Syntax passwd accountname Keywords accountname Passwd Command Following is an example of a successful Ping command Ping CommandPing ipaddress Ipaddress Examples The following is an example of the Ps command Ps CommandAuthority None Syntax ps Displays current system process information Authority None Quit CommandCloses the Telnet session Syntax quit, exit, or logout Syntax reset Reset CommandKeywords config configname Factory Switch ServicesRadius Security Values Table A-9. Switch Configuration Defaults Parameter 4-Gbps Port Defaults Table A-10. Port Configuration Defaults Table A-11. Port Threshold Alarm Configuration Defaults Table A-13. Snmp Configuration Defaults Table A-12. Zoning Configuration Defaults Table A-15. Services Configuration Defaults Table A-14. Radius Configuration Defaults Table A-17. Security Configuration Defaults Table A-16. System Configuration Defaults Keywords active Security Command Edit MD5 Following is an example of the Security History command Following is an example of the Security List command Following is an example of the Security Limits command Securityset Command Deactivate Create securitysetDelete securityset Groups securityset Following is an example of the Securityset List command Following is an example of the Securityset Groups command Keywords alarm option Set CommandConfig option Syntax set Switch state Setup optionLog option Pagebreak state Timezone Set config Set Config CommandTable A-18. Set Config Port Parameters Port portnumber Send Arbff True instead of IDLEs False on the loop Table A-18. Set Config Port Parameters Table A-20. Set Config Switch Parameters Table A-19. Security Configuration Parameters Resource Allocation Timeout Value. The number Threshold Table A-21. Set Config Threshold Parameters Table A-22. Set Config Zoning Parameters Arbff Following is an example of the Set Config Port command Enter key to do so Configuring Port Number AdminState Following is an example of the Set Config Switch command Following is an example of the Set Config Security command Following is an example of the Set Config Threshold command Following is an example of the Set Config Zoning command Set log Set Log CommandArchive Component filterlist Display filter Port portlist Level filter Start Alarms are always logged and always displayed on the screenStop Stops logging of events Set Port Command State state Disables the port by removing power from the port lasers Set setup Set Setup CommandRadius Services Snmp System Configuration fields Table A-23. Radius Service Settings Table A-24. Switch Services Settings Table A-24. Switch Services Settings Table A-25. Snmp Configuration Settings Table A-26. System Configuration Settings Table A-26. System Configuration Settings Following is an example of the Set Setup Services command Following is an example of the Set Setup Snmp command Following is an example of the Set Setup System command Keywords about Show Command Cimsubscription subscriptionname Alarm optionCimlistener listenername Interface Fdmi portwwnLog option Lsdb Table A-27. Show Port Parameters PagebreakPerf option Lipalpdalps Steering domainid Post log Table A-28. Switch Operational Parameters Topology Displays the current time zone settingDisplays all connected devices Users Following is an example of the Show Fdmi command Following is an example of the Show Domains commandFollowing is an example of the Show Fabric command Following is an example of the Show NS local domain command Following is an example of the Show Fdmi WWN command Following is an example of the Show Interface command Following is an example of the Show NS domainID commandFollowing is an example of the Show NS portID command PL-XPL-VC-SG3-22 Following is an example of the Show Port command Following is an example of the Show Topology command Following is an example of the Show Switch command 59097-02 B 105 Following is an example of the Show Version command Show config Show Config Command Following is an example of the Show Config Port command Following is an example of the Show Config Switch command Following is an example of the Show Config Zoning command Following is an example of the Show Config Threshold command None Show Log CommandShow log Keywords numberofevents Displays all informative events Displays all warning events Snmp eventsDisplays all critical events Displays all events related to EPorts Level SettingsOptions Port Following is an example of the Show Log command Show Perf Command Outframe portnumber Errors portnumber Following is an example of the Show Perf Byte command Mfg Show Setup CommandShow setup Following is an example of the Show Setup Radius command Following is an example of the Show Setup Services command Following is an example of the Show Setup Snmp command Following is an example of the Show Setup System command Syntax shutdown Shutdown Command Port portnumber testtype cancel Status Test CommandSyntax test Keywords port portnumber testtype Status Cancels the online test in progress Test port x online Authority None Syntax uptime Uptime CommandExamples The following is an example of the Uptime command Syntax user User CommandKeywords accounts Add Following is an example of the User Edit command Following is an example of the User Accounts commandFollowing is an example of the User Add command Following is an example of the User List command Following is an example of the User Delete command Authority None Syntax whoami Whoami CommandExamples The following is an example of the Whoami command Syntax zone Zone CommandKeywords add zone memberlist Copy zonesource zonedestination Members zone Delete zoneRemove zone memberlist Rename zoneold zonenew Following is an example of the Zone Members command Following is an example of the Zone Zonesets command Syntax zoneset Zoneset Command Remove zoneset zonelist Delete zonesetRename zonesetold zonesetnew Zones zoneset Following is an example of the Zoneset Zones command Opens a Zoning Edit session Zoning Command Limit Description Table A-29. Zoning Database Limits E2JBOD2 Following is an example of the Zoning Limits command Following is an example of the Zoning List command Command Line Interface Zoning Command 142 59097-02 B Administrative State Access Control List ZoneAlarm BootP Configured Zone Sets Class 3 ServiceDefault Visibility Fabric Management Switch Inter-Switch Link Input Power LEDMaintenance Button Maintenance Mode Soft Zone Small Form-Factor Pluggable Zoning DatabaseTarget User Account Index Index-2 59097-02 B 59097-02 B Index-3 Index-4 59097-02 B 59097-02 B Index-5 Index-6 59097-02 B 59097-02 B Index-7 Index-8 59097-02 B 59097-02 B Index-9 Index-10 59097-02 B