HP StorageWorks Fabric OS 6.x administrator guide (5697-0015, May 2009)

112 Configuring advanced security features
Device authentication policy
Device authentication policy can also be categorized as an HBA authentication policy. Fabric wide
distribution of the device authentication policy is not supported since the device authentication requires
manual interaction in setting the HBA shared secrets and switch shared secrets, and most of the HBAs do
not support the defined DH groups for use in the DH-CHAP protocol.
By default the switch will be in OFF state, which means the switch will clear the security bit in the FLOGI
(fabric login). The authutil command provides an option to change the device policy mode to select
PASSIVE policy, which means switch responds to authentication from any device and does not initiates
authentication to devices.
$authutil --policy -dev <off|passive>
The following lists available policy modes and properties.
OFF (Default): Authentication is not required. Even if device sends FLOGI with security bit set, switch
accepts the FLOGI with security bit OFF. In this case, switch assumes no further authentication requests from
device.
PASSIVE: Authentication is optional. If the attached device is capable of doing the authentication then the
switch participates in authentication; otherwise it will form an F_Port without authentication.
In PASSIVE mode, an F_Port will be disabled if the HBA shared secret does not match with the secret
installed on the switch. If the secret provided by the switch does not match the secrets installed on the HBA
then the HBA will disable the port on its side. On any authentication handshaking rejection, the switch will
disable the F_Port with reason “Authentication rejected”.
Since the F_Port authentication requires DH-CHAP protocol, selecting the PASSIVE mode will be blocked if
only FCAP protocol is selected as the authentication protocol. Similarly de-selecting the DH-CHAP protocol
from the authentication protocol list will be blocked if the device authentication is set to PASSIVE.
Auth policy restrictions
Fabric OS 5.1.0 implementation of DH-CHAP/FCAP does not support integration with RADIUS. All fabric
element authentication configurations are performed on a local switch basis.
Device authentication policy supports devices that are connected to the switch in point-to-point manner and
is visible to the entire fabric. The following are not supported:
Public loop devices
Single private devices
Private loop devices
Mixed public and private devices in loop
NPIV devices
FICON channels
Configupload/download will not be supported for the following AUTH attributes: auth type, hash
type, group type.
Supported configurations
The following HBAs support authentication:
Emulex LP11000 (Tested with Storport Miniport 2.0 windows driver)
Qlogic QLA2300 (Tested with Solaris 5.04 driver)