HP StorageWorks Fabric OS 6.1.x administrator guide (5697-0234, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

131

132

133

134

135

136

137

138

139

140

136 Configuring advanced security features

Power-up self tests

The self tests are invoked by powering on the switch in FIPS mode and do not require any operator

intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes into a

FIPS Error state which reboots the system to start the tests again. If the switch continues to fail the FIPS POST

tests, you will need to boot into single-user mode and perform a recovery procedure to reset the switch. For

more information on this procedure, refer to the Fabric OS Troubleshooting and Diagnostics Guide.

Conditional tests

These tests are for the random number generators and are executed to verify the randomness of the

random number generator. The conditional tests are executed each time prior to using the random number

provided by the random number generator.

The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output

to the local console. This includes logging both passing and failing results.

Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your

system cannot get out of the conditional test mode.

FIPS mode

By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to

enable FIPS mode, but you need to confgure the switch first. Self-tests mode must be enabled, before FIPS

mode can be enabled. A set of prerequisites as mentioned in the table below must be satisfied for the

system to enter FIPS mode.

To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful,

the switch enters FIPS mode. If KATs fail, then the switch reboots until the KATs succeed. If the switch cannot

enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the

reboot cycle. For more information on how to fix this issue, refer to the Fabric OS Troubleshooting and

Diagnostics Guide.

Only FIPS compliant algorithms will be run at this stage.

TLS private keys seccertutil delkey The command seccertutil delkey is used to

zeroize these keys.

TLS pre-master secret No CLI required Automatically zeroized on session termination

TLS session key No CLI required Automatically zeroized on session termination

TLS authentication key No CLI required Automatically zeroized on session termination

RADIUS secret aaaconfig –-remove The aaaconfig --remove zeroizes the secret

and deletes a configured server

Table 40 Zeroization behavior

Keys Zeroization CLI Description

Table 41 FIPS mode restrictions

Features FIPS mode Non-FIPS mode

Root account Disabled Enabled

Telnet/SSH access Only SSH Telnet and SSH

SSH algorithms HMAC-SHA1 (mac)

3DES-CBC, AES128-CBC, AES192-CBC,

AES256-CBC (cipher suites)

No restrictions

HTTP/HTTPS access HTTPS only HTTP and HTTPS

HTTPS

protocol/algorithms

TLS/AES128 cipher suite TLS/AES128 cipher suite

(SSL will no longer be supported)