User's Manual
Appendix D: Virtual Connect Security 315
o If it exists, delete the VC domain ("Deleting a domain" on page 23).
o Clear the VC mode from the OA.
A partial VC domain state is created when VCM discovers the local OA in VC mode. Be sure to clear
the partial VC domain state by powering off and then powering on the primary VC Enet module.
• When entering or exiting FIPS mode, the VC domain is deleted.
• The firmware must be updated to version 4.30 or higher before FIPS mode can be enabled.
• A rollback or downgrade to firmware earlier than 4.30 is not supported once the domain is in FIPS
mode.
• VC Fibre Channel modules are incompatible and cannot be configured for FIPS mode.
The status of VC Fibre Channel modules is displayed as incompatible.
• When a VC-Enet module is not in FIPS mode and the domain is in FIPS mode, the status of that module
is displayed as incompatible.
• The VCM cannot configure modules that are not enabled with FIPS mode.
• VC domain configuration files created in a FIPS enabled domain cannot be used in a non-FIPS domain.
• VC domain configuration files created in a non-FIPS domain cannot be used in a FIPS enabled domain.
• VC domain configuration files are deleted when FIPS mode is enabled or disabled.
When FIPS mode is enabled, security is increased across the domain. The following features are restricted:
• FTP and TFTP
• TACACS+ authentication
• RADIUS authentication
• Automated deployment
• Configurable user roles
• Administrator password recovery
• USB firmware updates
• SNMPv1 and SNMPv2
• MD5 authentication and DES encryption for SNMPv3
• Remote logging, except when using stunnel for encryption
• Short passwords
• Weak passwords
By default, the password strength is set to strong and the minimum password length must be 8 or more
characters. VCM uses SCP and SFTP protocols instead of FTP and TFTP.
TLS 1.2 is the default communication security protocol for a FIPS enabled domain. Verify the following
components support TLS 1.2:
• The OA version
OA firmware versions prior to 4.10 do not support TLS 1.2.
• The LDAP server
• The terminal emulator you use for SSH