Administrator Guide
654 Fabric OS Administrator’s Guide
53-1002920-02
Preparing a switch for FIPS
B
NOTE
This command can be entered only from the root account. It must be entered before disabling
the root account.
9. Enter the configure command and respond to the following prompts to enable signed firmware:
• System services: No
• cfgload attributes: Yes
• Enforce secure config Upload/Download: Press Enter to accept the default.
• Enforce firmware signature validation: Yes
Example
switch:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]
…
cfgload attributes (yes, y, no, n): [no] yes
Enforce secure config Upload/Download (yes, y, no, n): [no]
Enforce firmware signature validation (yes, y, no, n): [no] yes
10. Enter the portCfgEncrypt --disable command to disable in-flight encryption. You must first
disable the port.
Example
myswitch:root> portdisable 0
myswitch:root> portcfgencrypt --disable 0
myswitch:root> portenable 0
11. Enter the ipSecConfig --disable command to disable Ethernet IPsec.
12. Disable IPsec for FCIP connections. The procedure depends on the type of extension blade
used.
For FX8-24 extension blades, enter the portCfg fciptunnel [slot/]port modify -ipsec 0
command.
13. Enter the portCfg
--mgmtif delete command to disable in-band management.
14. Enter the aaaconfig --authspec local command to disable to authspec mode if TACACS +
authentication, PAP, or CHAP are configured.
15. Enter the fipsCfg
--enable selftests command to enable KAT and conditional tests on the
switch.
16. Enter the fipsCfg
--verify fips command to verify the switch is FIPS-ready.
17. Enter the userConfig
--change root -e no command to block access to the root account.
By disabling the root account, RADIUS and LDAP users with root permissions are also blocked
in FIPS mode.
18. Enter the fipsCfg
--enable fips command.
19. Reboot the switch. For a director, reboot both CPs.