HP StorageWorks Fabric OS 6.1.x administrator guide (5697-0234, November 2009)

ManualsBrandsHP ManualsStorageBrocade 8/24c SAN Switch for BladeSystem c-Class

131

132

133

134

135

136

137

138

139

140

Fabric OS 6.1.x administrator guide 139

Addtional Microsoft Active Directory settings

a. Set the following SCHANNEL settings listed in Table 43 to allow.

To support FIPS compliant TLS cipher suites on Microsoft’s Acitve Directory server, allow the

SCHANNEL settings listed in Table 43. Refer to the Microsoft website for instructions on how to

allow the SCHANNEL settings for the ciphers, hashes, key exchange and the TLS protocol.

b. Enable FIPS algorithm policy on the Microsoft Active Directory. Refer to to www.microsoft.com for

instructions.

LDAP certificates for FIPS mode

To utilize the LDAP services for FIPS between the switch and the host, you must generate a CSR on the

Active Directory server, import and export the CA certificates. To support server certificate validation, it is

essential to have the CA certificate installed on the switch and Active Directory server. Use the

secCertUtil to import the CA certificate to the switch. This will prompt for the remote IP and login

credentials to fetch the CA certificate. The CA certificate should be in any of the standard certificate

format, “.cer”, ”.crt” or “.pem”.

For storing and obtaining CA certificates, follow the instructions earlier in this section. LDAP CA certificate

file names should not contain spaces while using secCertUtil for import/export of the certificate.

Importing an LDAP switch certificate

This option imports the LDAP CA certificate from the remote host to the switch.

1. Connect to the switch and log in as admin.

2. Enter the secCertUtil import -ldapcacert command.

Example of importing an LDAP certificate

switch:admin> seccertutil import -ldapcacert

Select protocol [ftp or scp]: scp

Enter IP address: 192.168.38.206

Enter remote directory: /users/aUser/certs

Enter certificate name (must have ".crt" or ".cer" ".pem" suffix): LDAPTestCa.cer

Enter Login Name: aUser

Password: <hidden>

Success: imported certificate [LDAPTestCa.cer].

Table 43 Active Directory Keys to modify

Key Sub-key

Ciphers 3DES

Hashes SHA1

Key exchange

algorithm

PKCS

Protocols TLSv1.0