HP StorageWorks Fabric OS 5.3.x administrator guide (5697-0244, November 2009)

124 Configuring advanced security
Distributing an FCS policy
The FCS policy has to be manually distributed to the switches. Each switch that receives the FCS policy must
be configured to receive the policy. To configure the switch to accept distribution of the FCS policy, refer to
“Configuring the database distribution settings on page 123.
Switches in the fabric are designated as Primary FCS, backup FCS or non-FCS switch. Database
distributions may be initiated from only the Primary FCS switch. FCS policy configuration and management
is performed using the command line or a manageability interface.
Only the Primary FCS switch is allowed to distribute the database. The FCS policy needs to be manually
distributed across the fabric using the distribute -p command and there is no support for automatic
distribution. Since this policy is distributed manually, the command fddcfg –-fabwideset used to
distribute a fabric-wide consistency policy for FCS policy is not supported.
FCS enforcement for the distribute command is handled differently for FCS and other databases in an FCS
fabric:
For an FCS database, the enforcement allows any backup FCS switch to initiate the distribution. This is
to support FCS policy creation specifying a remote switch as Primary.
For other database distributions, only the Primary FCS switch can initiate the distribution
There will be FCS enforcement at the receiving switch, so the switch will verify whether the distribution is
coming from the Primary FCS switch, before accepting it. Distribution is accepted only if it is coming from
a Primary FCS switch. Distribution of FCS policy can still be accepted from a backup FCS switch if the
Primary is not reachable or from a non-FCS switch if the Primary FCS and none of the backup FCS switches
are reachable. To learn more about how to distribute policies, refer to “Distributing ACL policies to other
switches” on page 124.
NOTE: The FCS policy distribution is allowed to be distributed from a switch in the FCS list. However, if
none of the FCS switches in the existing FCS list are reachable, receiving switches will accept distribution
from any switch in the fabric.
Local switch configuration parameters are needed to control whether a switch accepts or rejects
distributions of FCS policy and whether the switch is allowed to initiate distribution of an FCS policy. A
configuration parameter controls whether the distribution of the policy is accepted or rejected on the local
switch. Setting the configuration parameter to accept indicates distribution of the policy will be accepted
and distribution may be initiated using the distribute -p command. Setting the configuration
parameter to reject indicates the policy distribution is rejected and the switch may not distribute the policy.
The default value for the distribution configuration parameter is accept, which means the switch accepts all
database distributions and is able to initiate a distribute operation for all databases.
Table 33 Distribution policy states
Fabric OS State
5.3.0 configured to accept Target switch accepts distribution and fabric state change occurs
5.3.0 configured to reject Target switch explicitly rejects the distribution and the operation fails. The
entire transaction is aborted and no fabric state change occurs.
5.2.0 switch (not configured as
it does not support this)
Target switch receives distribution but ignores FCS policy database.
Pre-5.2.0 No distribution is initiated as pre-5.2.0 versions do not support this operation.