Configuring fabric authentication, Fabric authentication overview, Dh-chap – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 303: Shared secret keys, Dh-chap shared secret keys

Configuring Fabric Authentication
Fabric authentication overview
When you connect a Brocade VCS Fabric to a Fabric OS fabric, the Network OS Fibre Channel E_Ports
on the Brocade VDX 6730 connect through Inter-Switch Links (ISLs) to EX_Ports on an FC router,
which in turn connects to the Fabric OS network as shown in
199.
To ensure that no unauthorized devices can access the fabric, Network OS provides support for
security policies and protocols capable of authenticating Network OS (E_Ports) to the EX_Ports on the
FC router (FCR) that provides access to the SAN storage and services.
DH-CHAP
Network OS uses the Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) to
control access between devices. DH-CHAP is a password-based, key exchange authentication protocol
that negotiates hash algorithms and Diffie Hellman (DH) groups before performing authentication. It
supports both MD5 and SHA-1 hash algorithm-based authentication.
The Fibre Channel Security Protocol (FC-SP) defines the DH groups supported in the DH-CHAP
protocol. Following current FC-SP standards, Network OS supports the following DH groups:
• 00 - DH Null option
• 01 - 1024 bit key
• 02 - 1280 bit key
• 03 - 1536 bit key
• 04 - 2048 bit key
To configure DH-CHAP authentication between Network OS switches (E_Ports) and FC routers
(EX_Ports) you must apply a matching configuration to both sides of the connection. Each device must
be configured locally.
NOTE
The Brocade VDX 6730-32 and VDX 6730-76 are the only platforms that can connect to an FC router
providing access to a SAN network of Fabric OS switches.
Shared secret keys
When you configure device ports for DH-CHAP authentication, you define a pair of shared secrets
known to both devices as a secret key pair. A key pair consists of a local secret and a peer secret. The
local secret uniquely identifies the local device. The peer secret uniquely identifies the entity to which
Network OS Administrator’s Guide
303
53-1003225-04