System and method for supporting persistent secure management key (M—Key) in a network environment
First Claim
1. A method for supporting security management by a subnet manager (SM) on a network switch in a network environment, the network switch comprising a switch chip comprising a switch chip memory and a processor coupled with the switch chip memory, the method comprising:
- setting up a management key (M_Key) on the switch chip memory of the switch chip in the network switch in the network environment;
operating a local monitoring daemon on the network switch;
operating a transactional command line interface (CLI) on the network switch;
persistently storing, via the local monitoring daemon on the network switch, a current M_Key to the switch chip memory of the switch chip as a persistent secret M_Key;
prior to enabling external connectivity between the network switch and the network environment following the network switch becoming unmanageable by the SM relative to secure communication between the network switch and the network environment, initializing the M_Key set up on the switch chip memory of the switch chip to match that of the persistent secret M_Key persistently stored to the switch chip memory of the switch chip by the local monitoring daemon;
preventing any external links of the network switch relative to the network environment from becoming operational unless;
the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch is a recognized M_Key in the network environment, ora refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is a recognized M_Key in the network environment, orthe refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is an M_Key recognized by the local SM; and
authenticating the network switch relative to the network environment by the local SM using;
the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip, orthe refreshed M_Key received via the CLI.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method can support security management in a network environment. A switch in the network environment includes a switch chip, which is configured with a secure management key (M_Key) prior to one or more external links becoming operational. Furthermore, a local daemon in the switch can monitor the secure M_key on the switch chip, and persistently store a current M_key used by a local subnet manager (SM). The current M_key is a state that is dynamically updated in a fabric in the network environment.
-
Citations
20 Claims
-
1. A method for supporting security management by a subnet manager (SM) on a network switch in a network environment, the network switch comprising a switch chip comprising a switch chip memory and a processor coupled with the switch chip memory, the method comprising:
-
setting up a management key (M_Key) on the switch chip memory of the switch chip in the network switch in the network environment; operating a local monitoring daemon on the network switch; operating a transactional command line interface (CLI) on the network switch; persistently storing, via the local monitoring daemon on the network switch, a current M_Key to the switch chip memory of the switch chip as a persistent secret M_Key; prior to enabling external connectivity between the network switch and the network environment following the network switch becoming unmanageable by the SM relative to secure communication between the network switch and the network environment, initializing the M_Key set up on the switch chip memory of the switch chip to match that of the persistent secret M_Key persistently stored to the switch chip memory of the switch chip by the local monitoring daemon; preventing any external links of the network switch relative to the network environment from becoming operational unless; the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch is a recognized M_Key in the network environment, or a refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is a recognized M_Key in the network environment, or the refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is an M_Key recognized by the local SM; and authenticating the network switch relative to the network environment by the local SM using; the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip, or the refreshed M_Key received via the CLI. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for supporting security management by a subnet manager (SM) on a network switch in a network environment, the system comprising:
-
one or more processors; a local monitoring daemon, running on the one or more processors; a transactional command line interface (CLI) running on the one or more processors; and a switch chip in a switch comprising a switch chip memory operatively coupled with the one or more processors, wherein the switch chip memory of the switch chip is configured with a management key (M_Key), wherein the local monitoring daemon operates to persistently store a current M_key to the switch chip memory of the switch chip as a persistent secret M_Key, wherein prior to enabling one or more external links between the network switch and the network environment a following the network switch becoming unmanageable by the SM relative to secure communication between the network switch and the network environment, the M_Key configured on the switch chip memory of the switch chip is initialized to match the persistent secret M_Key persistently stored to the switch chip memory of the switch chip by the local monitoring daemon, wherein any external links of the network switch are prevented from becoming operational relative to the network environment unless; the persistent secret M_Key initialized to the M_Key configured on the switch chip memory of the switch is a recognized M_Key in the network environment, or a refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key configured on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is a recognized M_Key in the network environment, or the refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key configured on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is an M_Key recognized by the local SM, wherein the network switch is authenticated relative to the network environment by the local SM using; the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip, or the refreshed M_Key received via the CLI. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory machine readable storage medium having instructions stored thereon that when executed cause a system to perform steps for supporting security management by a subnet manager (SM) on a network switch in a network environment, the network switch comprising a switch chip comprising a switch chip memory and a processor coupled with the switch chip memory, the steps comprising:
-
setting up a management key (M_Key) on the switch chip memory of the switch chip in the network switch in the network environment; operating a local monitoring daemon on the network switch; operating a transactional command line interface (CLI) on the network switch; persistently storing, via the local monitoring daemon on the network switch, the secure a current M_Key to the switch chip memory of the switch chip as a persistent secret M_Key; prior to enabling external connectivity between the network switch and the network environment following the network switch becoming unmanageable by the SM relative to secure communication between the network switch and the network environment, initializing the M_Key set up on the switch chip memory of the switch chip to match that of the persistent secret M_Key persistently stored to the switch chip memory of the switch chip by the local monitoring daemon; preventing any external links of the network switch relative to the network environment from becoming operational unless; the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch is a recognized M_Key in the network environment, or a refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is a recognized M_Key in the network environment, or the refreshed M_Key, selectively received via the CLI operating on the network switch responsive to the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip being an unrecognized M-Key in the network environment, is an M_Key recognized by the local SM; and authenticating the network switch relative to the network environment by the local SM using; the persistent secret M_Key initialized to the M_Key set up on the switch chip memory of the switch chip, or the refreshed M_Key received via the CLI.
-
Specification