Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)
Fabric OS Administrator’s Guide 519
53-1002148-02
FIPS mode configuration
C
Specify the DNS IP address using either IPv4 or IPv6. This address is needed for the switch to
resolve the domain name to the IP address because LDAP initiates a TCP session to connect to
your Microsoft Active Directory server. A Fully Qualified Domain Name (FQDN) is needed to
validate the server identity as mentioned in the common name of the server certificate.
3. Set the switch authentication mode and add your LDAP server by using the commands shown
in the following example. Provide the Fully Qualified Domain Name (FQDN) of the Microsoft
Active Directory server for the host name parameter while configuring LDAP.
Example of setting up LDAP for FIPS mode
switch:admin> aaaconfig --add GEOFF5.ADLDAP.LOCAL -conf ldap -d adldap.local
-p 389 -t 3
switch:admin> aaaconfig --authspec "ldap;local"
switch:admin> aaaconfig –show
RADIUS CONFIGURATIONS
=====================
RADIUS configuration does not exist.
LDAP CONFIGURATIONS
===================
Position : 1
Server : GEOFF5.ADLDAP.LOCAL
Port : 389
Domain : adldap.local
Timeout(s) : 3
Primary AAA Service: LDAP
Secondary AAA Service: Switch database
4. Set up LDAP according to the instructions in “LDAP configuration and Microsoft Active
Directory” on page 111, and then perform the following additional Microsoft Active Directory
settings
a. To support FIPS-compliant TLS cipher suites on the Microsoft Active Directory server, allow
the SCHANNEL settings listed in Table 88.
b. Enable the FIPS algorithm policy on the Microsoft Active Directory.
TABLE 88 Active Directory keys to modify
Key Sub-key
Ciphers 3DES
Hashes SHA1
Key exchange algorithm PKCS
Protocols TLSv1.0