Enabling and disabling network settings of an IBM System Storage SAN48B-5 switch

After you replace an IBM® System Storage® SAN48B-5 switch in an IBM PurePower System™, you must enable Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), and disable Hypertext Transfer Protocol (HTTP) and telnet.

Enabling SSH on an IBM System Storage SAN48B-5 switch

To enable SSH on an IBM System Storage SAN48B-5 switch, complete the following steps:
  1. Connect a notebook to the serial console port of the SAN48B-5 switch by using a Universal Serial Bus (USB) to RJ-45 serial cable.
  2. Using PuTTY, log in to the SAN48B-5 switch with user ID root and password password.
  3. At the command prompt, type the following command and press Enter:

    seccertutil genkey -rsa

    Follow the prompts to generate keys.

  4. At the command prompt, type the following command and press Enter:

    sshutil exportpubkey

    Follow the prompts. When prompted for where to export, type the IP address of the management node. When prompted for the remote directory, type /data/backups.
    Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144.
  5. At the command prompt, type the following command and press Enter:

    sshutil importpubkey

    Follow the prompts. When prompted for where to import, type the IP address of the management node. When prompted for remote directory, type /root/.ssh. When prompted for public key name, type id_rsa.pub.
    Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144.
  6. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  7. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Continue with step 9.
  8. Does purepowerip4 have a state of active and does destination port 22 have an action of permit?
    • Yes: An purepowerip4 state of active and destination port 22 action of permit indicate that SSH is enabled. This ends the procedure.
    • No: Continue with step 10.
  9. At the command prompt, type the following commands. Press Enter after each command. Then, continue with the next step.

    ipfilter --clone purepowerip4 -from default_ipv4

    ipfilter --save purepowerip4

  10. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  11. Record the rule number that is associated with destination port 22.
  12. At the command prompt, type the following commands, where x is the rule number that you recorded in step 11. Press Enter after each command.

    ipfilter --delrule purepowerip4 -rule x

    ipfilter --addrule purepowerip4 -rule x -sip any -dp 22 -proto tcp -act permit

    ipfilter --save purepowerip4

    ipfilter --activate purepowerip4

  13. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  14. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Contact your next level of support. This ends the procedure.
  15. Does purepowerip4 have a state of active and does destination port 22 have an action of permit?
    • Yes: An purepowerip4 state of active and destination port 22 action of permit indicate that SSH is enabled. This ends the procedure.
    • No: Contact your next level of support. This ends the procedure.
  16. Disconnect the notebook from the serial console port of the SAN48B-5 switch.

    This ends the procedure.

Enabling HTTPS on an IBM System Storage SAN48B-5 switch

To enable HTTPS on an IBM System Storage SAN48B-5 switch, complete the following steps:
  1. On the management node, select Applications > Terminal.
  2. In the terminal session, type the following command:
    ssh root@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
  3. At the command prompt, type the following command and press Enter:

    seccertutil genkey

    Follow the prompts to generate keys. When prompted for the key size, type 2048.

  4. At the command prompt, type the following command and press Enter:

    seccertutil gencsr

    Follow the prompts. When prompted for common name, type the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
  5. At the command prompt, type the following command and press Enter:

    seccertutil export

    Follow the prompts. When prompted for where to export, type the IP address of the management node. When prompted for remote directory, type /tmp/CA.
    Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144.
  6. At the command prompt of the management node, type the following commands. Press Enter after each command.

    mkdir /tmp/CA

    mkdir /tmp/CA/newcerts

    mkdir /tmp/CA/private

    cp -p /etc/pki/tls/openssl.cnf /tmp/CA

  7. Edit the /tmp/CA/openssl.cnf file so that it has the following information:

    dir = /tmp/CA

  8. At the command prompt, type the following command and press Enter:

    openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config openssl.cnf

    Follow the prompts. When prompted for a pass phrase, record the phrase for later use. Record the value of cacert.pem for use in step 13 of this procedure.

  9. At the command prompt, type the following commands. Press Enter after each command.

    cp /tmp/CA/cakey.pem /tmp/CA/private

    echo '01' >serial

    touch index.txt

  10. At the command prompt, type the following command and press Enter:
    openssl ca -policy policy_anything -out xxx.xxx.xx.xx.pem -config openssl.cnf -infiles xxx.xxx.xx.xx.csr, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.

    Follow the prompts. When prompted for a pass phrase, record the phrase for later use.

  11. On the management node, select Applications > Terminal.
  12. In the terminal session, type the following command:
    ssh root@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
  13. At the command prompt, type the following command and press Enter:

    seccertutil import -config cacert

    Follow the prompts. When prompted, enter the value of cacert.pem that was recorded in step 8.

  14. At the command prompt, type the following command and press Enter:

    seccertutil import -config swcert -enable https

    This ends the procedure.

Disabling HTTP on an IBM System Storage SAN48B-5 switch

To disable HTTP on an IBM System Storage SAN48B-5 switch, complete the following steps:
  1. On the management node, select Applications > Terminal.
  2. In the terminal session, type the following command:
    ssh admin@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
  3. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  4. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Continue with step 6.
  5. Does purepowerip4 have a state of active and does destination port 80 have an action of deny?
    • Yes: An purepowerip4 state of active and destination port 80 action of deny indicate that HTTP is disabled. This ends the procedure.
    • No: Continue with step 7.
  6. At the command prompt, type the following commands. Press Enter after each command. Then, continue with the next step.

    ipfilter --clone purepowerip4 -from default_ipv4

    ipfilter --save purepowerip4

  7. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  8. Record the rule number that is associated with destination port 80.
  9. At the command prompt, type the following commands, where x is the rule number that you recorded in step 8. Press Enter after each command.

    ipfilter --delrule purepowerip4 -rule x

    ipfilter --addrule purepowerip4 -rule x -sip any -dp 80 -proto tcp -act deny

    ipfilter --save purepowerip4

    ipfilter --activate purepowerip4

  10. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  11. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Contact your next level of support. This ends the procedure.
  12. Does purepowerip4 have a state of active and does destination port 80 have an action of deny?
    • Yes: An purepowerip4 state of active and destination port 80 action of deny indicate that HTTP is disabled. This ends the procedure.
    • No: Contact your next level of support. This ends the procedure.

Disabling telnet on an IBM System Storage SAN48B-5 switch

To disable telnet on an IBM System Storage SAN48B-5 switch, complete the following steps:
  1. On the management node, select Applications > Terminal.
  2. In the terminal session, type the following command:
    ssh admin@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.
    Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
  3. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  4. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Continue with step 6.
  5. Does purepowerip4 have a state of active and does destination port 23 have an action of deny?
    • Yes: An purepowerip4 state of active and destination port 23 action of deny indicate that telnet is disabled. This ends the procedure.
    • No: Continue with step 7.
  6. At the command prompt, type the following commands. Press Enter after each command. Then, continue with the next step.

    ipfilter --clone purepowerip4 -from default_ipv4

    ipfilter --save purepowerip4

  7. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  8. Record the rule number that is associated with destination port 23.
  9. At the command prompt, type the following commands, where x is the rule number that you recorded in step 8. Press Enter after each command.

    ipfilter --delrule purepowerip4 -rule x

    ipfilter --addrule purepowerip4 -rule x -sip any -dp 23 -proto tcp -act deny

    ipfilter --save purepowerip4

    ipfilter --activate purepowerip4

  10. At the command prompt, type the following command and press Enter:

    ipfilter --show purepowerip4

  11. Is purepowerip4 information displayed?
    • Yes: Continue with the next step.
    • No: Contact your next level of support. This ends the procedure.
  12. Does purepowerip4 have a state of active and does destination port 23 have an action of deny?
    • Yes: An purepowerip4 state of active and destination port 23 action of deny indicate that telnet is disabled. This ends the procedure.
    • No: Contact your next level of support. This ends the procedure.
Parent topic: Enabling and disabling network settings of a switch in an IBM PurePower System


Last updated: Mon, July 25, 2016