Client Scenario/Problem statement
Ben, an administrator, had been worried about tightening the security of all his resources as and when they are registered. With the SAN fabrics in his environment being registered with username/password added more to his existing security concerns. He has been looking for a perfect solution for a while now.
SSH-Keys as a solution
PowerVC 2.0.3 brings you a new feature that allows you to register Brocade switch via SSH key in addition to the conventional username/password technique. This feature ensures that the security aspect of ‘no-man-in-the-middle’ or any other attacks that can lead to SAN fabrics getting compromised.
Adding keys on Brocade switch
Generate keys on any machine and copy public keys to Brocade admin account.
Here is an example.
c387f14u40:FID128:admin> sshutil importpubkey
Enter user name for whom key is imported:admin
Enter IP address:1.2.3.4
Enter remote directory:/root/.ssh
Enter public key name(must have .pub suffix):id_rsa.pub
Enter login name:root
root@1.2.3.4's password:
public key is imported successfully.
c387f14u40:FID128:admin>
Registration on PowerVC
After logging in to PowerVC, navigate to ‘Storages’ and click Fabrics.
- Click Add fabric. The rest of the parameters remain the same as earlier.
- Display name: Post registration of fabric, we can see fabric with this name in PowerVC GUI
- User ID: Fabric username which is usually ‘admin’.
- Fabric Type: Brocade
- Zoning Policy: Select any one of them listed, they are discussed in earlier blogs
We will see a new option SSH key under Authentication type.
Provide private keys for registration.
Registration via REST API
This section provides details about the procedure for Brocade registration via REST API.
Method- POST
REST API - https://<PowerVC VIP>/powervc/openstack/volume/v3/<tenant id>/san-fabrics
Request Body :
{
"fabric": {
"registration": {
"access_ip": "Fabric IP",
"user_id": "admin",
"private_key": “provide Private keys",
"fabric_display_name": "Display name",
"fabric_type": "brocade",
"zoning_policy": "initiator"
}
}
}
Limitations
Registration of Brocade Virtual Fabric is not allowed using SSH private key.
Conclusion
As you have seen, PowerVC 2.0.3 provides you a simple way to register Brocade SAN switch via ssh-keys; thereby, ensuring that the security aspect of ‘no-man-in-the-middle’ is in place preventing any other attacks that can lead to SAN fabrics getting compromised.
Do comment your queries, if any, in the comments section. Keep watching our social outlets for more interesting information about PowerVC! Please find us on Facebook, LinkedIn, Twitter, and YouTube.
Blog author:
Jagdish Choudhary