Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)
Fabric OS Administrator’s Guide 535
53-1001336-02
FIPS mode configuration
D
FIPS mode configuration
By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command
to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled
before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.
KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,
then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and
continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For
more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics
Guide
Only FIPS-compliant algorithms are run at this stage.
TABLE 100 FIPS mode restrictions
Features FIPS mode Non-FIPS mode
Root account Disabled Enabled
Telnet/SSH access Only SSH Telnet and SSH
SSH algorithms HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
No restrictions
HTTP/HTTPS access HTTPS only HTTP and HTTPS
HTTPS
protocol/algorithms
TLS/AES128 cipher suite TLS/AES128 cipher suite
(SSL will no longer be supported)
RPC/secure RPC access Secure RPC only RPC and secure RPC
Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites
SNMP Read-only operations Read and write operations
DH-CHAP/FCAP hashing
algorithms
SHA-1 MD5 and SHA-1
Signed firmware Mandatory firmware signature validation. Optional firmware signature
validation
Configupload/
download/
supportsave/
firmwaredownload
SCP only FTP and SCP
IPsec For FCIP IPSec the DH group 1 is
FIPS-compliant and is not blocked. Usage of
AES-XCBC, MD5 and DH group 0 and 1 are
blocked.
For IPSec (Ethernet), only MD5 is blocked in
FIPS mode.
No restrictions
Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2