Fibre Channel (SAN)

Reply
New Contributor
Posts: 4
Registered: ‎03-18-2015

How to properly configure DH-CHAP?

What is the pattern for diseminating DH-CHAP keys?

I generated 4 random 32b keys for two switches but I cannot get them to take without giving me "Authentication Rejected".

 

New Contributor
Posts: 4
Registered: ‎03-18-2015

Re: How to properly configure DH-CHAP?

Well, to answer my own question:

 

Based on the following switches:
SW0: 10:00:00:99:aa:bb:cc:dd
SW1: 10:00:00:99:ee:ff:gg:hh
SW2: 10:00:00:99:ii:jj:kk:ll
1. Log into each switch and set the DH Group
bswitch2:admin> authutil --set -g 4
2. Generate 32-byte keys for each switch.
KEY=$(dd if=/dev/random count=32 2>/dev/null|digest -a md5)
print ${KEY}
8a4cd550f7f0f6691b48544f8d84f2fd
8369118c5375e3fbf1190ec6b0d407cd
fb313aab702bf3044a7a843eb01c8b65
3. Log into each switch and grab the Switch WWN number.
Map each WWN to one or more keys. Probably best to store in a secure spreadsheet for future use.
SW0: 10:00:00:05:aa:bb:cc:dd = 8a4cd550f7f0f6691b48544f8d84f2fd
SW1: 10:00:00:05:ee:ff:gg:hh = 8369118c5375e3fbf1190ec6b0d407cd
SW2: 10:00:00:27:ii:jj:kk:ll = fb313aab702bf3044a7a843eb01c8b65
4. On each switch log in and run "secauthsecret --set"
SW0 :admin> secauthsecret --show
WWN DId Name
-----------------------------------------------
10:00:00:99:ee:ff:gg:hh -1 Unknown
10:00:00:99:ii:jj:kk:ll -1 Unknown

bswitch2:admin> secauthsecret --remove --all

This command deletes database of DH-CHAP secret keys. If a fabric
requires authentication, deleting this database may cause switch
to segment from the fabric.

Do want to remove secret key database? (yes, y, no, n): [no] yes
Deleting secret key database... Done.

bswitch2:admin> secauthsecret --set

This command is used to set up secret keys for the DH-CHAP authentication.
The minimum length of a secret key is 8 characters and maximum 40
characters. Setting up secret keys does not initiate DH-CHAP
authentication. If switch is configured to do DH-CHAP, it is performed
whenever a port or a switch is enabled.

Warning: Please use a secure channel for setting secrets. Using
an insecure channel is not safe and may compromise secrets.

Following inputs should be specified for each entry.

1. WWN for which secret is being set up.
2. Peer secret: The secret of the peer that authenticates to peer.
3. Local secret: The local secret that authenticates peer.

Press enter to start setting up secrets >

Enter peer WWN, Domain, or switch name (Leave blank when done): 10:00:00:27:ii:jj:kk:ll
Enter peer secret: fb313aab702bf3044a7a843eb01c8b65
Re-enter peer secret: fb313aab702bf3044a7a843eb01c8b65
Enter local secret: 8a4cd550f7f0f6691b48544f8d84f2fd
Re-enter local secret: 8a4cd550f7f0f6691b48544f8d84f2fd

Enter peer WWN, Domain, or switch name (Leave blank when done): 10:00:00:05:ee:ff:gg:hh
Enter peer secret: 8369118c5375e3fbf1190ec6b0d407cd
Re-enter peer secret: 8369118c5375e3fbf1190ec6b0d407cd
Enter local secret: 8a4cd550f7f0f6691b48544f8d84f2fd
Re-enter local secret: 8a4cd550f7f0f6691b48544f8d84f2fd

Enter peer WWN, Domain, or switch name (Leave blank when done):
Are you done? (yes, y, no, n): [no] y
Saving data to key store... Done.

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook