Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

571

572

573

574

575

576

577

578

579

580

534 Fabric OS Administrator’s Guide

53-1001336-02

Zeroization functions

Power-up self tests

The self tests are invoked by powering on the switch in FIPS mode and do not require any operator

intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes

into a FIPS Error state which reboots the system to start the tests again. If the switch continues to

fail the FIPS POST tests, you will need to boot into single-user mode and perform a recovery

procedure to reset the switch. For more information on this procedure, refer to the Fabric OS

Troubleshooting and Diagnostics Guide.

Conditional Tests

These tests are for the random number generators and are executed to verify the randomness of

the random number generator. The conditional tests are executed each time prior to using the

random number provided by the random number generator.

The results of all self-tests, for both power-up and conditional, are recorded in the system log or are

output to the local console. This includes logging both passing and failing results. Refer to the

Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system

cannot get out of the conditional test mode.

FCAP Private Key pkiremove The pkiCreate command creates the keys, and

'pkiremove' removes/zeroizes the keys.

SSH Session Key No CLI required This is generated for each SSH session that is

established to and from the host. It automatically

zeroizes on session termination.

SSH RSA private Key No CLI required Key-based SSH authentication is not used for SSH

sessions.

RNG Seed Key No CLI required /dev/urandom is used as the initial source of seed for

RNG. RNG seed key is zeroized on every random

number generation.

Passwords passwddefault

fipscfg –-zeroize

This will remove user-defined accounts in addition to

default passwords for the root, admin, and user

default accounts. However only root has permissions

for this command. So securityadmin and admin roles

need to use fipsCfg

–-zeroize, which in addition to

removing user accounts and resetting passwords, also

does the complete zerioization of the system.

TLS private keys seccertutil delkey The command secCertUtil delkey is used to zeroize

these keys.

TLS pre-master secret No CLI required Automatically zeroized on session termination.

TLS session key No CLI required Automatically zeroized on session termination.

TLS authentication key No CLI required Automatically zeroized on session termination.

RADIUS secret aaaconfig –-remove The aaaConfig

--remove zeroizes the secret and

deletes a configured server.

TABLE 99 Zeroization Behavior

Keys Zeroization CLI Description