HP StorageWorks Fabric OS 5.X Procedures User Guide (AA-RVHWB-TE, September 2005)

52 Configuring standard security features
Changing the order in which RADIUS servers are contacted for service
1. Connect to the switch and log in as admin.
2. Issue the following command:
switch:admin> aaaConfig --move server to_position
When the command succeeds, the event log indicates that a server configuration is changed.
Enabling and disabling local authentication
It is useful to enable local authentication so that the switch can take over authentication locally if the
RADIUS servers fail to respond because of power outage or network problems. To enable or disable local
authentication, issue the following command:
switch:admin> aaaConfig --switchdb on | off
Specifying on enables local authentication; specifying off disables it.
When local authentication is enabled and RADIUS servers fail to respond, you can log in to the default
switch accounts (admin and user) or any user-defined account. You must know the passwords of these
accounts.
RADIUS authentication must be enabled when local database authentication is turned off from the on
state; otherwise, an error is returned.
Because local database authentication might be disabled or enabled when enabling or disabling RADIUS
authentication, set the local database authentication explicitly to enabled or disabled after setting the
desired RADIUS authentication configuration.
When the command succeeds, the event log indicates that local database authentication is disabled
or enabled.
Configuring for the SSL protocol
Fabric OS 4.4.0 and later support SSL protocol, which provides secure access to a fabric through
Web-based management tools like Advanced Web Tools. SSL support is a standard Fabric OS feature; it
is independent of Secure Fabric OS, which requires a license and separate certification.
Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure
links (which begin with https://) instead of standard links (which begin with http://).
SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is
based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted
key agent.
Certificates are based on the switch IP address or fully-qualified domain name (FQDN), depending on the
issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you
might have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan
these types of changes accordingly.
-p port Is an optional argument; enter a server port.
-s secret Is an optional argument; enter a shared secret.
-t timeout Is an optional argument; enter the length of time (in seconds) the server
has to respond before the next server is contacted.
-a[pap|chap] Specifies PAP or CHAP as authentication protocol.
where:
server Is a list of servers by either name or IP address. Enter either the name or IP
address of the server whose position is to be changed.
to_position Is the position number to which the server is to be moved.