Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

You can specify either "4" or "*" . The "4" option explicitly enables DH group 4. Although "*"
enables all DH groups (0 through 4), the DH group defaults to group 4 for all ports configured for in-
flight encryption.

4. Configure pre-shared keys or certificates based on the encryption method selected (DH-CHAP or

FCAP):

• If DH-CHAP is the configured authentication protocol, use the secAuthSecret --set command to

establish pre-shared secret key at each end of the ISL. It is recommended to use a 32-bit secret
for an ISL carrying encrypted or compressed traffic.

switch:admin> secauthsecret --set

When prompted, enter the WWN for the remote switch and secret strings for the local switch and
the remote switch.

• If FCAP is the configured authentication protocol, use the seccertutil command to generate the

public or private key, the CSR, and the passphrase and then import certificates (CA and switch)
at both the ends of ISL.

switch:admin> seccertutil

5. Activate the configured authentication using the authUtil --policy command to set the switch policy

mode to Active or On.

switch:admin> authutil --policy -sw active

If you are configuring authentication on an EX_Port, there is no need to set the authentication policy
to Active or On. EX_Ports can operate on any switch authentication policy.

6. Verify the authentication configuration using the authUtil --show command.

The following example sets up authentication in preparation for in-flight encryption. Specifically, it
configures DH-CHAP for authentication, sets the DH group to group 4, sets up a pre-shared secret
key, and activates authentication.

switch:admin> authutil --set -a dhchap

Authentication is set to dhchap.

switch:admin> authutil --set -g "4"

DH Group was set to 4.

switch:admin> secauthsecret --set

This command is used to set up secret keys for the DH-CHAP authentication.

The minimum length of a secret key is 8 characters and maximum 40

characters. Setting up secret keys does not initiate DH-CHAP

authentication. If switch is configured to do DH-CHAP, it is performed

whenever a port or a switch is enabled.

Warning: Please use a secure channel for setting secrets. Using

an insecure channel is not safe and may compromise secrets.

Following inputs should be specified for each entry.

1. WWN for which secret is being set up.

2. Peer secret: The secret of the peer that authenticates to peer.

3. Local secret: The local secret that authenticates peer.

Press enter to start setting up secrets >

Enter peer WWN, Domain, or switch name (Leave blank when done):

10:00:00:05:1e:e5:cb:00

Enter peer secret:

Re-enter peer secret:

Enter local secret:

Re-enter local secret:

Enter peer WWN, Domain, or switch name (Leave blank when done):

Are you done? (yes, y, no, n): [no] y

Saving data to key store... Done.

switch:admin> secauthsecret --show

In-flight Encryption and Compression

416

Fabric OS Administrators Guide

53-1003130-01