Investigating IBM Fibre Channel Endpoint Security

7.1 LPAR mode z/VM guest

You can check whether the connections between your FCP devices and remote ports use authentication and encryption.

About this task

You can investigate two aspects of IBM® Fibre Channel Endpoint Security for your connections:
  • The capabilities of your FCP device, which depend on your adapter hardware with its FCP channels.
  • The status of your connections between your FCP devices and remote ports.
For information about configuring IBM Fibre Channel Endpoint Security, see the Redbooks® publication IBM Fibre Channel Endpoint Security for IBM DS8900F and IBM Z®, SG24-8455.

Procedure

Display the IBM Fibre Channel Endpoint Security information for your environment by issuing an lszdev command. Use command options to read the fc_security attributes for your Fibre Channel hosts and LUNs as shown in the following example:
# lszdev zfcp -a -c TYPE,ID,ATTR:fc_security
TYPE      ID                                             ATTR:fc_security           
zfcp-host 0.0.5150                                       Authentication, Encryption
zfcp-lun  0.0.5150:0x500507630400120c:0x4081402000000000 Authentication
zfcp-lun  0.0.5150:0x500507630401120c:0x4081402000000000 Encryption
In the output, zfcp-host lines show information for your FCP devices:
Authentication
The FCP device supports authentication.
Encryption
The FCP device supports encryption.
unsupported
The FCP device does not support IBM Fibre Channel Endpoint Security.
none
The FCP device does not report any IBM Fibre Channel Endpoint Security capabilities.
unknown
The IBM Fibre Channel Endpoint Security capabilities of the FCP device are not known.
In the output, zfcp-lun lines show the current state of IBM Fibre Channel Endpoint Security of the connection between the FCP device and the FC remote port used to access the LUN:
Authentication
The connection was authenticated.
Encryption
The connection uses encryption.
unsupported
The connection does not support IBM Fibre Channel Endpoint Security because the FCP device does not support it.
none
The connection has no IBM Fibre Channel Endpoint Security.
unknown
The IBM Fibre Channel Endpoint Security state of the connection is not known.
Tip: If the output is lengthy, use the lszdev device selection filter to narrow the scope to the devices of interest.
Alternatively, you can use the lszfcp command with the -a option to display the IBM Fibre Channel Endpoint Security information for FCP devices. With the lszfcp -m option, you can also display the information for your connections. For example, issue the following command:
# lszfcp -HPam
Instead of using commands, you can read the information directly from sysfs. For example, for an FCP channel that provides an FCP device with device-bus ID 0.0.5150
# cat /sys/bus/ccw/drivers/zfcp/0.0.5150/fc_security
Authentication, Encryption
For a remote port 0x500507630401120c that is connected through this FCP device:
# cat /sys/bus/ccw/drivers/zfcp/0.0.5150/0x500507630401120c/fc_security
Encryption
Both sysfs attributes are read-only.