FOS REST API function calls are permitted or denied based on user privilege configurations determined by the role-based access control (RBAC) functionality in Fabric OS. Implementing the following changes to your Brocade switches will not interrupt system operation or compromise performance. Rest assured, these adjustments can be safely applied even on your running productive system. Brocade REST API is supported on SAN switches running Fabric OS 8.2.1 and later but we recommend to use FOS 9 and higher. All switches running earlier versions cannot be monitored by BVQ! (see Supported Brocade systems). Brocade SAN Switch UserFor switches running FOS 9, the user needs at least the permissions of the default role basicswitchadmin for all virtual Switches and the chassis. For switches running FOS 8.2.x, the user needs at least the permissions of the default role admin. For all versions, there is no support for default switch role user, because it has no permission to observe the RBAC class configure, that BVQ needs to gather information about the switch configuration. Depending on the specific FOS level, the following user has to be added on each and every switch you want to scan: Code Block |
---|
language | bash |
---|
theme | DJango |
---|
title | Add BVQ user via FOS CLI (switches with VF) |
---|
| FOS 9.x:
userconfig --add bvq -r basicswitchadmin -c basicswitchadmin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password>
FOS 8.2.x:
userconfig --add bvq -r admin -c admin -l 1-128 -h 128 -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password> |
Code Block |
---|
language | bash |
---|
theme | DJango |
---|
title | Add BVQ user via FOS CLI (switches without VF) |
---|
| FOS 9.x:
userconfig --add bvq -r basicswitchadmin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password>
FOS 8.2.x:
userconfig --add bvq -r admin -d "BVQ Scanner User" -p ChangeMeP@ssw0rd
passwd bvq
> <final_password> |
Increase Rest sessionsIt is also an essential requirement to increase the number of allowed REST sessions to 10 on each switch in the fabric. This adjustment is a necessary step to ensure efficient operation. Code Block |
---|
language | bash |
---|
theme | DJango |
---|
title | Increase the number of allowed Rest sessions to 10 |
---|
| mgmtapp --config -maxrestsession 10
mgmtapp --show
REST Configuration:
Interface State: Enabled
Effective Protocol: HTTPS only
HTTP State: Enabled
Session Count: 10
Throttling Configurations:
Sample Requests : 120
Sample Time (in sec) : 30
Idle Time (in sec) : 3 |
Unlike BVQ versions prior to 2023.H1 where Brocade scanner configurations had to be configured for each virtual fabric, now only one scanner configuration per SAN is required. All switches that belong to the same fabric or are reachable by any virtual fabric on one of those switches will be detected and configured in a single scanner configuration. The switch IP used to discover the SAN must be one that has virtual fabrics feature in enabled - unless none of the switches in the fabric support this feature or have it enabled. Switches in access gateway mode are not part of the fabric, and hence, have to be added to the configuration manually. BVQ scanner configurations need the following input: - Switch IP address or DNS name of one switch in the SAN. This does not need to be the principal but must be one that has virtual fabrics enabled if any of the switches in the SAN are using this feature.
- Protocol - http or https
- Switch username and password
- Port number (if not default)
SSL / HTTPS certificate handling Code Block |
---|
language | bash |
---|
theme | DJango |
---|
title | Add BVQ user via FOS CLI (switches without VF) |
---|
| seccertmgmt show -cert https |
If you want to enable the BVQ Scanner Switch Check SSL certificate, you need to install a non-self-signed certificate on the switch.
Note: If switches or virtual fabrics are added to or removed from the SAN, the scanner configuration needs to be adjusted manually. Edit the scanner configuration and select "Discover switches" to rediscover the SAN. |