Manualshelf

Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop
561562563564565566567568569570
Fabric OS Administrator’s Guide 523
53-1002148-02
Preparing the switch for FIPS
C
d. Save each IP Filter policy. Refer to “Saving an IP Filter policy” on page 156.
Example
ipfilter --create http_block_v4 -type ipv4
ipfilter --addrule http_block_v4 -rule 1 -sip any -dp 80 -proto tcp -act deny
ipfilter --activate http_block_v4
7. Use the snmpConfig --set seclevel command to turn on SNMP security. When prompted to
Select SNMP SET Security Level, enter 3, for no access.
Example
switch:FID128:admin> snmpconfig --set seclevel
Select SNMP GET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =
No Access): (0..3) [0]
Select SNMP SET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 =
No Access): (0..3) [0] 3
8. Enter the fipsCfg --disable bootprom command to block access to the boot PROM.
NOTE
This command can be entered only from the root account. It must be entered before disabling
the root account.
9. Enter the configure command and respond to the following prompts to enable signed firmware:
System services: No
cfgload attributes: Yes
Enforce secure config Upload/Download: Press Enter to accept the default
Enforce firmware signature validation: Yes
Example
switch:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]
cfgload attributes (yes, y, no, n): [no] yes
Enforce secure config Upload/Download (yes, y, no, n): [no]
Enforce firmware signature validation (yes, y, no, n): [no] yes
10. Enter the userConfig --change root -e no command to block access to the root account.
By disabling the root account, RADIUS and LDAP users with root permissions are also blocked
in FIPS mode.
11. Enter the portCfgEncrypt --disable command to disable in-flight encryption. You must first
disable the port.
Example
myswitch:root> portdisable 0
myswitch:root> portcfgencrypt --disable 0
myswitch:root> portenable 0
12. Enter the ipSecConfig --disable command to disable Ethernet IPsec.