Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop

561

562

563

564

565

566

567

568

569

570

522 Fabric OS Administrator’s Guide

53-1002148-02

Preparing the switch for FIPS

• Disable root access.

• Enable the KATs and the conditional tests.

• Enable FIPS.

Enabling FIPS mode

1. Log in to the switch using an account with securityadmin permissions.

2. Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA

keys.

These keys, which were previously the default, do migrate to Fabric OS v7.0.0 but are no longer

supported in FIPS mode. You must remove them to remain FIPS compliant.

NOTE

Support for RSA keys is retained. You can implement RSA keys using the sshutil command.

3. Optional: Select the appropriate authentication method based on your needs:

• If the switch is set for RADIUS, enter the aaaConfig --change or aaaConfig --remove

command to modify each server to use only PEAP-MS-CHAPv2 as the authentication

protocol.

• If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” on

page 518.

4. Optional: Set the authentication protocols.

a. Enter the authUtil --set -h sha1 command to set the hash type for MD5, which is used in

the DHCHAP and FCAP authentication protocols.

b. Enter the authUtil --set -g <n> command (where <n> represents the DH group) to set the

DH group to 1, 2, 3, or 4.

5. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. Refer to

“LDAP certificates for FIPS mode” on page 520.

6. Enter the ipFilter --show command and verify that no active IP filter policy permits access to

telnet, HTTP, or RPC ports, even if a higher priority policy explicitly denies such access. If an

active IP policy does permit any of these ports, you must modify or deactivate the policy. Create

separate policies for ipv4 and ipv6, and block access on Telnet, HTTP, and RPC ports.

a. Enter the ipFilter command to create IP Filter policies for IPv4 and IPv6. Refer to “Creating

an IP Filter policy” on page 155.

b. Add rules to each IP Filter policy, see “Adding a rule to an IP Filter policy” on page 161. You

can use the following modifications to the rule to block access to telnet, HTTP, and RPC

ports:

ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp

<dest_port> -proto <protocol> -act <deny>

• The -sip option can be given as any.

• The -dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898,

respectively.

• The -proto option should be set to tcp.

c. Activate each IP Filter policy. Refer to “Activating an IP Filter policy” on page 156.