Skip to main content

Cornelis Technical Documentation

5.4.3. Out-of-Band Security

Out-of-band security uses a separate channel or medium for control signaling. In networking, out-of-band management uses a separate physical connection to manage network devices independently of the main data traffic.

5.4.3.1. Fabric Executive

The FE is the part of the Fabric Manager package that provides OOB LAN network-based applications with access to FM-related facilities (that is, SM/SAPM/PA, notifications, and so on). The FE provides this support through a protocol running on top of TCP/IP, which enables these FE client (FEC) applications to interface with the FM facilities in real time.

The FE provides the following means for ensuring that only authorized Omni-Path administrators have access to this functionality:

  • Authenticates the user connecting to the interface. This is to ensure that only Omni-Path administrators have access to the information provided by the FE interface.

  • Provides privacy protection for the channel used to communicate with FEC applications. This is to prevent other administration personnel who are not authorized from obtaining Omni-Path fabric information directly from the administration network by eavesdropping on the communication between FE and FEC.

The following are all the configuration parameters used to configure security for the FE. These parameters are configurable through the Fabric Manager configuration file:

<SslSecurityEnable>1</SslSecurityEnable> 
<SslSecurityDir>/usr/local/ssl/opafm</SslSecurityDir> 
<SslSecurityFmCertificate>fm_cert.pem</SslSecurityFmCertificate> 
<SslSecurityFmPrivateKey>fm_key.pem</SslSecurityFmPrivateKey> 
<SslSecurityFmCaCertificate>fm_ca_cert.pem</SslSecurityFmCaCertificate> 
<SslSecurityFmCertChainDepth>1</SslSecurityFmCertChainDepth> 
<SslSecurityFmDHParameters>fm_dh_parms.pem</SslSecurityFmDHParameters> 
<SslSecurityFmCaCRLEnable>0</SslSecurityFmCaCRLEnable> 
<SslSecurityFmCaCRL>fm_ca_crl.pem</SslSecurityFmCaCRL>
Table 16. Fabric Executive Field Definitions

Field

Default Value

Description

SslSecurityEnabled

1

This parameter is used to enable/disable SSl security.

The following parameters are required by the OpenSSL interface, in order to establish a secure socket connection over the OOB network.

SslSecurityDir

/usr/local/ssl/opafm

This parameter specifies the directory location of OpenSSL-related files.

SslSecurityFmCertificate

fm_crt.pem

This parameter specifies the certificate PEM file to be used by the Fabric Manager.

SslSecurityFmPrivateKey

fm_key.pem

This parameter specifies the private key PEM file to be used by the Fabric Manager.

SslSecurityFmCaCertificate

fm_ca_cert.pem

This parameter specifies the Certificate Authority (CA) certificate PEM file to be used by the Fabric Manager.

SslSecurityCertChainDepth

1

This parameter specifies the limit up to which depth certificates in a chain are used during the verification procedure. If the certificate chain is longer than allowed, the certificates above the limit are ignored.

SslSecurityFmDHParameters

fm_dh_parms.pem

This parameter specifies the Diffie-Hellman parameters PEM file to be used by the Fabric Manager.

<SslSecurityFmCaCRL>

fm_dh_parms.pem

This parameter specifies the CA CRL PEM file to be used by the Fabric Manager.

<SslSecurityFmCaCRLEnabled>

1

This parameter is used to enable/disable the usage of the CRL PEM file.



Fabric Executive - This is an Omni-Path component that provides out-of-band access to the Fabric Manager.

Out-of-Band - This is an activity that is outside of any primary communication channel.

Fabric Manager - This is an OPX Software component responsible for managing the fabric using management packets over a dedicated virtual lane (VL15).

Subnet Manager or Subnet Management

Subnet Administrator/Administration

Performance Manager/Performance Management - This is the Fabric Management entity responsible for monitoring fabric information related to the port and virtual lane level counters and the picture that they convey.

Performance Administrator/Administration - This component allows a centralized control point for querying the performance data in the fabric.

Secure Socket Layer - This is a protocol for establishing secure links between networked computers

Privacy Enhanced Mail - This is a file type (*.pem) used for securing emails and other data. It ensures message confidentiality, authenticity, and integrity.

Certificate Revocation List - This is a list of digital certificates revoked by an issuing certificate authority (CA) before their scheduled expiration. Entries on the list should no longer be trusted.