Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop

551

552

553

554

555

556

557

558

559

560

Fabric OS Administrator’s Guide 517

53-1002148-02

FIPS mode configuration

The results of the POST and conditional tests are recorded in the system log or are output to the

local console. This action includes logging both passing and failing results. Refer to the Fabric OS

Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get

out of the conditional test mode.

FIPS mode configuration

By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command

to enable FIPS mode, but you must configure the switch first. Self-test mode must be enabled

before FIPS mode can be enabled. A set of prerequisites (as shown in Table 86) must be satisfied

for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. For

directors, either reboot both CPs, or power the chassis down and then up again. KATs are run on

the reboot. If the KATs are successful, the switch enters FIPS mode. If the KATs fail, then the switch

reboots until the KATs succeed. If the switch cannot enter FIPS mode and continues to reboot, you

must return the switch to your switch service provider. For information about how to prepare a

service provider case, refer to the Fabric OS Troubleshooting and Diagnostics Guide

When the switch successfully reboots in FIPS mode, only FIPS-compliant algorithms are run.

Table 86 lists the Fabric OS features and their behaviors in FIPS and non-FIPS mode.

TABLE 86 FIPS mode restrictions

Features FIPS mode Non-FIPS mode

Configupload/ download/

supportsave/

firmwaredownload

SCP/SFTP only FTP and SCP/SFTP

DH-CHAP/FCAP hashing

algorithms

SHA-1 MD5 and SHA-1

HTTP/HTTPS access HTTPS only HTTP and HTTPS

HTTPS algorithms TLS/AES128 cipher suite TLS AES 128 cipher suite

IPsec Disabled No restrictions

LDAP CA CA certificate must be available. CA certificate is optional.

Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2

Root account Disabled Enabled

Signed firmware Mandatory firmware signature validation Optional firmware signature

validation

SNMP Read-only operations Read and write operations

SSH algorithms HMAC-SHA1 (MAC)

3DES-CBC, AES128-CBC, AES192-CBC,

AES256-CBC (cipher suites)

No restrictions

SSH public keys RSA 1024 bit keys and RSA 2048 bit keys RSA 1024 bit keys, RSA 2048

bit keys, and DSA 1024 bit keys

Telnet/SSH access Only SSH Telnet and SSH