Brocade Fabric OS Administrator's Guide Supporting Fabric OS v6.3.0 (53-1001336-02, November 2009)
Fabric OS Administrator’s Guide 539
53-1001336-02
Preparing the switch for FIPS
D
1. Connect to the switch and log in as admin.
2. Enter the secCertUtil delete -ldapcacert <file_name> command, where the <filename> is the
name of the LDAP certificate on the switch.
Example of deleting an LDAP CA certificate
switch:admin> seccertutil delete -ldapcacert LDAPTestCa.pem
WARNING!!!
About to delete certificate: LDAPTestCa.cer
ARE YOU SURE (yes, y, no, n): [no] y
Deleted LDAP certificate successfully
Preparing the switch for FIPS
The following functions are blocked in FIPS mode. Therefore, it is important to prepare the switch
by disabling these functions prior to enabling FIPS:
• The root account and all root-only functions are not available.
• HTTP, Telnet, RPC, SNMP protocols need to be disabled. Once these are blocked, you cannot
use these protocols to read or write data from and to the switch.
• The configDownload and firmwareDownload commands using an FTP server are blocked.
See Table 100 on page 535 for a complete list of restrictions between FIPS and non-FIPS modes.
ATTENTION
Only roles with SecurityAdmin and Admin can enable FIPS mode.
Overview of steps
1. Optional: Configure RADIUS server or LDAP server.
2. Optional: Configure authentication protocols.
3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on
the switch for using LDAP authentication.
4. Block Telnet, HTTP, and RPC.
5. Disable BootProm access.
6. Configure the switch for signed firmware.
7. Disable root access.
8. Enable FIPS.
Enabling FIPS mode
1. Log in to the switch using an account assigned the admin or securityAdmin role.
2. Optional: Select the appropriate method based on your needs:
• If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the
authentication protocol using the aaaConfig
--change or aaaConfig --remove command.