Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
518 Fabric OS Administrator’s Guide
53-1002148-02
FIPS mode configuration
C
LDAP in FIPS mode
You can configure your Microsoft Active Directory server to use the Lightweight Directory Access
Protocol (LDAP) while in FIPS mode. There is no option provided on the switch to configure TLS
ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch
and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft
Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.
Table 87 lists the differences between FIPS and non-FIPS modes of operation.
Setting up LDAP for FIPS mode
1. Log in to the switch using an account with admin or securityadmin permissions, or an account
with OM permissions for the RADIUS and switchconfiguration RBAC classes of commands.
2. Enter the dnsConfig command to configure the DNS on the switch.
Example of setting the DNS
switch:admin> dnsconfig
Enter option
1 Display Domain Name Service (DNS) configuration
2 Set DNS configuration
3 Remove DNS configuration
4 Quit
Select an item: (1..4) [4] 2
Enter Domain Name: [] domain.com
Enter Name Server IP address in dot notation: [] 123.123.123.123
Enter Name Server IP address in dot notation: [] 123.123.123.124
DNS parameters saved successfully
Enter option
1 Display Domain Name Service (DNS) configuration
2 Set DNS configuration
3 Remove DNS configuration
4 Quit
Select an item: (1..4) [4] 4
TABLE 87 FIPS and non-FIPS modes of operation
FIPS mode non-FIPS mode
The CA that issued the Microsoft Active Directory server
certificate must be installed on the switch.
There is no mandatory CA certificate installation on
the switch.
Configure FIPS-compliant TLS ciphers [TDES-168, SHA1
and RSA-1024] on the Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.
On the Microsoft Active Directory server, there is no
configuration of the FIPS-compliant TLS ciphers.
The switch uses FIPS-compliant ciphers regardless of the
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for FIPS
ciphers, authentication will still succeed.
The Microsoft Active Directory server certificate is
validated if the CA certificate is found on the switch.
The Microsoft Active Directory server certificate is validated
by the LDAP client. If the CA certificate is not present on the
switch then user authentication will fail.
If the Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS mode,
then user authentication will succeed.