Manualshelf

Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class
571572573574575576577578579580
Fabric OS Administrator’s Guide 533
53-1001336-02
Appendix
D
FIPS support
In this appendix
FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
FIPS overview
Federal information processing standards (FIPS) specify the security standards to be satisfied by a
cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the
switch. As part of FIPS 140-2 level 2 compliance passwords, shared secrets and the private keys
used in SSL, TLS, and system login need to be cleared out or zeroized. Power-up self tests are
executed when the switch is powered on to check for the consistency of the algorithms
implemented in the switch. Known-answer-tests (KATs) are used to exercise various features of the
algorithm and their results are displayed on the console for your reference. Conditional tests are
performed whenever an RSA key pair is generated. These tests verify the randomness of the
deterministic and non-deterministic random number generator (DRNG and non-DRNG). They also
verify the consistency of RSA keys with regard to signing and verification and encryption and
decryption.
ATTENTION
When FIPS mode is enabled, this is a chassis-wide setting and affects all logical switches.
Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions
clear the passwords and the shared secrets. The following table lists the various keys used in the
system that will be zeroized in a FIPS-compliant Fabric OS module.
TABLE 99 Zeroization Behavior
Keys Zeroization CLI Description
DH Private keys No CLI required Keys will be zeroized within code before they are
released from memory.
FCSP Challenge
Handshake
Authentication Protocol
(CHAP) Secret
secauthsecret –-remove
value | –-all
The secAuthSecret
--remove value is used to remove
the specified keys from the database. When the
secAuthSecret command is used with –-remove –-all
option then the entire key database is deleted.