Reference Guide
652 Fabric OS Administrator’s Guide
53-1002920-02
Preparing a switch for FIPS
B
Refer to Table 97 on page 648 for a complete list of restrictions between FIPS and non-FIPS
modes.
ATTENTION
You need both securityadmin and admin permissions to enable FIPS mode.
Overview of steps
1. Remove legacy OpenSSH DSA keys.
2. Optional: Configure the RADIUS server or the LDAP server.
3. Optional: Configure any authentication protocols.
4. For LDAP only: Install an SSL certificate on the Microsoft Active Directory server and a CA
certificate on the switch for using LDAP authentication.
5. Create separate IP filter policies for IPv4 and IPv6 and block access to Telnet (TCP port 23) or
HTTP (TCP port 80).
6. Set the SNMP security level to off.
7. Configure the switch for signed firmware.
8. Disable in-flight encryption.
9. Disable IPsec for Ethernet and IPsec for FCIP.
10. Disable in-band management.
11. Disable authspec modes if TACACS + authentication or non-PEAP RADIUS are configured.
12. Disable root access.
13. Enable the KATs and the conditional tests.
14. Disable the boot PROM access.
15. Enable FIPS.
16. Perform zeroization as described in “Zeroizing for FIPS” on page 655.
Enabling FIPS mode
1. Log in to the switch using an account with securityadmin permissions.
2. Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA
keys.
These keys, which previously were the default keys, migrate to Fabric OS v7.0.0 but are no
longer supported in FIPS mode. You must remove these keys to remain FIPS-compliant.
NOTE
Support for RSA keys is retained. You can implement RSA keys using the sshutil command.
3. Optional: Select the appropriate authentication method based on your needs:
• If the switch is set for RADIUS, enter the aaaConfig --change or aaaConfig --remove
command to modify each server to use only PEAP-MSCHAPv2 as the authentication
protocol.