Enabling and disabling local authentication, Configuring for the ssl protocol – HP StorageWorks 2.128 SAN Director Switch User Manual

52

Configuring standard security features

Changing the order in which RADIUS servers are contacted for service

1.

Connect to the switch and log in as admin.

2.

Issue the following command:

switch:admin> aaaConfig --move server to_position

When the command succeeds, the event log indicates that a server configuration is changed.

Enabling and disabling local authentication

It is useful to enable local authentication so that the switch can take over authentication locally if the

RADIUS servers fail to respond because of power outage or network problems. To enable or disable local

authentication, issue the following command:

switch:admin> aaaConfig --switchdb on | off

Specifying

on

enables local authentication; specifying

off

disables it.

When local authentication is enabled and RADIUS servers fail to respond, you can log in to the default

switch accounts (admin and user) or any user-defined account. You must know the passwords of these

accounts.
RADIUS authentication must be enabled when local database authentication is turned off from the on

state; otherwise, an error is returned.
Because local database authentication might be disabled or enabled when enabling or disabling RADIUS

authentication, set the local database authentication explicitly to enabled or disabled after setting the

desired RADIUS authentication configuration.
When the command succeeds, the event log indicates that local database authentication is disabled

or enabled.

Configuring for the SSL protocol

Fabric OS 4.4.0 and later support SSL protocol, which provides secure access to a fabric through

Web-based management tools like Advanced Web Tools. SSL support is a standard Fabric OS feature; it

is independent of Secure Fabric OS, which requires a license and separate certification.
Switches configured for SSL grant access to management tools through hypertext transfer protocol-secure

links (which begin with

https://

) instead of standard links (which begin with

http://

).

SSL uses public key infrastructure (PKI) encryption to protect data transferred over SSL connections. PKI is

based on digital certificates obtained from an Internet Certificate Authority (CA), which acts as the trusted

key agent.
Certificates are based on the switch IP address or fully-qualified domain name (FQDN), depending on the

issuing CA. If you change a switch IP address or FQDN after activating an associated certificate, you

might have to obtain and install a new certificate. Check with the CA to verify this possibility, and plan

these types of changes accordingly.

-p port

Is an optional argument; enter a server port.

-s secret

Is an optional argument; enter a shared secret.

-t timeout

Is an optional argument; enter the length of time (in seconds) the server

has to respond before the next server is contacted.

-a[pap|chap]

Specifies

PAP

or

CHAP

as authentication protocol.

where:

server

Is a list of servers by either name or IP address. Enter either the name or IP

address of the server whose position is to be changed.

to_position

Is the position number to which the server is to be moved.