beautypg.com

Device security – HP McDATA 4Gb SAN Switch for HP BladeSystem p-Class User Manual

Page 31

background image

McDATA® 4Gb SAN Switch for HP p-Class BladeSystem user guide

31

Device security

IMPORTANT:

Device security is available only with the McDATA SANtegrity™ Product Feature

Enablement (PFE) key. Refer to ”

Installing Product Feature Enablement (PFE) keys

” on page 88 for more

information about installing a PFE key. To obtain the McDATA 4Gb SAN Switch serial number and Product

Feature Enablement key, follow the step-by-step instructions on the "firmware feature entitlement request

certificate" for the PFE key. One of the license key retrieval options is via the web:

www.webkey.external.hp.com

.

Device security provides for the authorization and authentication of devices that you attach to a switch. You

can configure a switch with a group of devices against which the switch authorizes new attachments by

devices, other switches, or devices issuing management server commands. Device security is configured

through the use of security sets and groups. A group is a list of device worldwide names that are

authorized to attach to a switch. There are three types of groups: one for other switches (ISL), another for

devices (port), and a third for devices issuing management server commands (MS). A security set is a set

of up to three groups with no more than one of each group type. The security configuration is made up of

all security sets on the switch.
In addition to authorization, the switch can be configured to require authentication to validate the identity

of the connecting switch, device, or host. Authentication can be performed locally using the switch security

database, or remotely using a Remote Dial-In User Service (RADIUS) server. With a RADIUS server, the

security database for the entire fabric resides on the server. In this way, the security database can be

managed centrally, rather than on each switch. You can configure up to five RADIUS servers to provide

failover.
You can configure the RADIUS server to authenticate just the switch or both the switch and the initiator

device if the device supports authentication. When using a RADIUS server, every switch in the fabric must

have a network connection. A RADIUS server can also be configured to authenticate user accounts.
Consider the devices, switches, and management agents and evaluate the need for authorization and

authentication. Also consider whether the security database is to be distributed on the switches or

centralized on a RADIUS server and how many servers to configure.
Managing device security involves the following tasks:

Creating security sets, groups, and members

Editing a security configuration on a switch

Viewing properties of a security set, group, or member

Archiving a security configuration on a switch to a file

Activating and deactivating a security set

The security database is made up of all security sets on the switch. The security database has the following

limits:

Maximum number of security sets is 4.

Maximum number of security groups is 16.

Maximum number of members in a group is 1000.

Maximum total number of group members is 1000.

See also other documents in the category HP Storage: