Enabling and disabling network settings of an IBM System Storage SAN48B-5 switch
After you replace an IBM® System Storage® SAN48B-5 switch in an IBM PurePower System™, you must enable Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS), and disable Hypertext Transfer Protocol (HTTP) and telnet.
Enabling SSH on an IBM System Storage SAN48B-5 switch
- Connect a notebook to the serial console port of the SAN48B-5 switch by using a Universal Serial Bus (USB) to RJ-45 serial cable.
- Using PuTTY, log in to the SAN48B-5 switch with user ID root and password password.
- At the command prompt, type the following command and press Enter:
seccertutil genkey -rsa
Follow the prompts to generate keys.
- At the command prompt, type the following command and press Enter:
sshutil exportpubkey
Follow the prompts. When prompted for where to export, type the IP address of the management node. When prompted for the remote directory, type /data/backups.Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144. - At the command prompt, type the following command and press Enter:
sshutil importpubkey
Follow the prompts. When prompted for where to import, type the IP address of the management node. When prompted for remote directory, type /root/.ssh. When prompted for public key name, type id_rsa.pub.Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144. - At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Continue with step 9.
- Does purepowerip4 have a state of active and does destination port 22
have an action of permit?
- Yes: An purepowerip4 state of active and destination port 22 action of permit indicate that SSH is enabled. This ends the procedure.
- No: Continue with step 10.
- At the command prompt, type the following commands. Press Enter after each
command. Then, continue with the next step.
ipfilter --clone purepowerip4 -from default_ipv4
ipfilter --save purepowerip4
- At the command prompt, type the following command and press
Enter:
ipfilter --show purepowerip4
- Record the rule number that is associated with destination port 22.
- At the command prompt, type the following commands, where x is the rule
number that you recorded in step 11. Press
Enter after each command.
ipfilter --delrule purepowerip4 -rule x
ipfilter --addrule purepowerip4 -rule x -sip any -dp 22 -proto tcp -act permit
ipfilter --save purepowerip4
ipfilter --activate purepowerip4
- At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Contact your next level of support. This ends the procedure.
- Does purepowerip4 have a state of active and does destination port 22
have an action of permit?
- Yes: An purepowerip4 state of active and destination port 22 action of permit indicate that SSH is enabled. This ends the procedure.
- No: Contact your next level of support. This ends the procedure.
- Disconnect the notebook from the serial console port of the SAN48B-5 switch.
This ends the procedure.
Enabling HTTPS on an IBM System Storage SAN48B-5 switch
- On the management node, select .
- In the terminal session, type the following command:ssh root@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
- At the command prompt, type the following command and press Enter:
seccertutil genkey
Follow the prompts to generate keys. When prompted for the key size, type 2048.
- At the command prompt, type the following command and press Enter:
seccertutil gencsr
Follow the prompts. When prompted for common name, type the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9. - At the command prompt, type the following command and press Enter:
seccertutil export
Follow the prompts. When prompted for where to export, type the IP address of the management node. When prompted for remote directory, type /tmp/CA.Note: The IP address of the primary management node is 192.168.93.44. The IP address of the secondary management node is 192.168.93.144. - At the command prompt of the management node, type the following commands. Press Enter after
each command.
mkdir /tmp/CA
mkdir /tmp/CA/newcerts
mkdir /tmp/CA/private
cp -p /etc/pki/tls/openssl.cnf /tmp/CA
- Edit the /tmp/CA/openssl.cnf file so that it has the following information:
dir = /tmp/CA
- At the command prompt, type the following command and press
Enter:
openssl req -new -x509 -keyout cakey.pem -out cacert.pem -config openssl.cnf
Follow the prompts. When prompted for a pass phrase, record the phrase for later use. Record the value of cacert.pem for use in step 13 of this procedure.
- At the command prompt, type the following commands. Press Enter after each command.
cp /tmp/CA/cakey.pem /tmp/CA/private
echo '01' >serial
touch index.txt
- At the command prompt, type the following command and press Enter:openssl ca -policy policy_anything -out xxx.xxx.xx.xx.pem -config openssl.cnf -infiles xxx.xxx.xx.xx.csr, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
Follow the prompts. When prompted for a pass phrase, record the phrase for later use.
- On the management node, select .
- In the terminal session, type the following command:ssh root@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
- At the command prompt, type the following command and press
Enter:
seccertutil import -config cacert
Follow the prompts. When prompted, enter the value of cacert.pem that was recorded in step 8.
- At the command prompt, type the following command and press Enter:
seccertutil import -config swcert -enable https
This ends the procedure.
Disabling HTTP on an IBM System Storage SAN48B-5 switch
- On the management node, select .
- In the terminal session, type the following command:ssh admin@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
- At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Continue with step 6.
- Does purepowerip4 have a state of active and does destination port 80
have an action of deny?
- Yes: An purepowerip4 state of active and destination port 80 action of deny indicate that HTTP is disabled. This ends the procedure.
- No: Continue with step 7.
- At the command prompt, type the following commands. Press Enter after
each command. Then, continue with the next step.
ipfilter --clone purepowerip4 -from default_ipv4
ipfilter --save purepowerip4
- At the command prompt, type the following command and press
Enter:
ipfilter --show purepowerip4
- Record the rule number that is associated with destination port 80.
- At the command prompt, type the following commands, where x is the rule
number that you recorded in step 8. Press
Enter after each command.
ipfilter --delrule purepowerip4 -rule x
ipfilter --addrule purepowerip4 -rule x -sip any -dp 80 -proto tcp -act deny
ipfilter --save purepowerip4
ipfilter --activate purepowerip4
- At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Contact your next level of support. This ends the procedure.
- Does purepowerip4 have a state of active and does destination port 80
have an action of deny?
- Yes: An purepowerip4 state of active and destination port 80 action of deny indicate that HTTP is disabled. This ends the procedure.
- No: Contact your next level of support. This ends the procedure.
Disabling telnet on an IBM System Storage SAN48B-5 switch
- On the management node, select .
- In the terminal session, type the following command:ssh admin@xxx.xxx.xx.xx, where xxx.xxx.xx.xx is the IP address of the SAN48B-5 switch.Note: The IP address of SAN48B-5 switch 1 is 192.168.93.11. The IP address of SAN48B-5 switch 2 is 192.168.93.9.
- At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Continue with step 6.
- Does purepowerip4 have a state of active and does destination port 23
have an action of deny?
- Yes: An purepowerip4 state of active and destination port 23 action of deny indicate that telnet is disabled. This ends the procedure.
- No: Continue with step 7.
- At the command prompt, type the following commands. Press Enter after
each command. Then, continue with the next step.
ipfilter --clone purepowerip4 -from default_ipv4
ipfilter --save purepowerip4
- At the command prompt, type the following command and press
Enter:
ipfilter --show purepowerip4
- Record the rule number that is associated with destination port 23.
- At the command prompt, type the following commands, where x is the rule
number that you recorded in step 8. Press
Enter after each command.
ipfilter --delrule purepowerip4 -rule x
ipfilter --addrule purepowerip4 -rule x -sip any -dp 23 -proto tcp -act deny
ipfilter --save purepowerip4
ipfilter --activate purepowerip4
- At the command prompt, type the following command and press Enter:
ipfilter --show purepowerip4
- Is purepowerip4 information displayed?
- Yes: Continue with the next step.
- No: Contact your next level of support. This ends the procedure.
- Does purepowerip4 have a state of active and does destination port 23
have an action of deny?
- Yes: An purepowerip4 state of active and destination port 23 action of deny indicate that telnet is disabled. This ends the procedure.
- No: Contact your next level of support. This ends the procedure.