Manualshelf

Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop
551552553554555556557558559560
Fabric OS Administrator’s Guide 515
53-1002148-02
Appendix
C
FIPS Support
In this appendix
FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
FIPS overview
Federal information processing standards (FIPS) specify the security standards to be satisfied by a
cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the
switch. As part of FIPS 140-2 level 2, compliance passwords, shared secrets, and the private keys
used in SSL, TLS, and system login need to be cleared out or zeroized. Before enabling FIPS
compliance mode, a power-on self test (POST) is executed when the switch is powered on to check
for the consistency of the algorithms implemented in the switch. Known-answer tests (KATs) are
used to exercise various features of the algorithm and their results are displayed on the console for
your reference. Conditional tests are performed whenever an RSA key pair is generated. These
tests verify the randomness of the deterministic random number generator (DRNG) and
non-deterministic random number generator (non-DRNG). They also verify the consistency of RSA
keys with regard to signing and verification and encryption and decryption.
ATTENTION
FIPS mode, when enabled, is a chassis-wide setting that affects all logical switches. Once enabled,
FIPS mode cannot be disabled.
Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions
clear the passwords and the shared secrets. Table 85 lists the various keys used in the system that
will be zeroized in a FIPS-compliant Fabric OS module.
TABLE 85 Zeroization behavior
Keys Zeroization CLI Description
DH private keys No command required Keys will be zeroized within code before they are
released from memory.
FCAP private key secCertUtil delete --fcapall
-nowarn
The secCertUtil delete --fcapall command removes all
FCAP certificates and FCAP private keys.