Sun Microsystems, Inc.  Oracle System Handbook - ISO 7.0 May 2018 Internal/Partner Edition
   Home | Current Systems | Former STK Products | EOL Systems | Components | General Info | Search | Feedback

Asset ID: 1-71-2233005.1
Update Date:2017-02-15
Keywords:
Solution Type  Technical Instruction Sure

Solution  2233005.1 :   How to Configure the Ciphers, KEX, and MAC Algorithms on Brocade Switches.  

Related Items 
    

  • Brocade 6510 Fabric Switch
    •  
  • Brocade 6520 Switch
    •  
  • Brocade 300 Switch
    •  
Related Categories 
    

  • PLA-Support>Sun Systems>DISK>Switch>SN-DK: Brocade Switch
    •  






In this Document


Goal


Solution




Applies to:  

Brocade 300 Switch - Version All Versions to All Versions [Release All Releases]
Brocade 6510 Fabric Switch - Version All Versions to All Versions [Release All Releases]
Brocade 6520 Switch - Version All Versions to All Versions [Release All Releases]
Information in this document applies to any platform.



Goal


 Starting with Fabric OS version 7.4, a new command secCryptoCfg was introduced to configure the ciphering for Brocade switches.


You can check the current ciphering by running:




BrocadeSwitch:admin>secCryptoCfg --show


HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512


 




Here we see that, for example, for the SSH cipher list we have CBC algorithms configured and for the SSH MACs list we have md5, sha1 and sha2.


To check the complete list of the available ciphering algorithms, please consult the Brocade CLI guide.


Solution


As a working example, the following command will remove the CBC ciphering ( considered weak ) and replaced it with CTR:




BrocadeSwitch:admin> seccryptocfg --replace -type SSH -cipher aes128-ctr,aes192-ctr


This command requires the daemon(s) SSH to be restarted
Existing sessions will be terminated.
Please confirm and provide the preferred option
Press Yes(Y,y), No(N,n) [N]:yes
Terminating all SSH/SCP sessions running
All SSH accounts will be logged out




 After the SSH services are restarted, you can use the --show option again to verify the changes:




BrocadeSwitch:admin > seccryptocfg --show
HTTPS Cipher List : !ECDH:!DH:HIGH:-MD5:!CAMELLIA:!SRP:!PSK:!AESGCM
SSH Cipher List : aes128-ctr,aes192-ctr <<<<< **** CTR ENABLED ONLY ****
SSH Kex Algorithms List : ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
SSH MACs List : hmac-md5,hmac-sha1,hmac-sha2-256,hmac-sha2-512


 




For further information, please refer the FabOS 7.4 Admin Guide.


 



Attachments

This solution has no attachment


















       

Copyright © 2018 Oracle, Inc.  All rights reserved.

 Feedback