Manualshelf

Users Guide

ManualsBrandsDell ManualsComputer equipmentBrocade M5424
641642643644645646647648649650
Fabric OS Administrator’s Guide 645
53-1002920-02
Appendix
B
FIPS Support
In this appendix
FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
Preparing a switch for FIPS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651
FIPS overview
Federal information processing standards (FIPS) specify the security standards to be satisfied by a
cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the
switch.
As part of FIPS 140-2 level 2, compliance passwords, shared secrets, and the private keys used in
SSL, TLS, and system login need to be cleared out or zeroized. Before enabling FIPS compliance
mode, a power-on self-test (POST) is executed when the switch is powered on to check for the
consistency of the algorithms implemented in the switch. Known-answer tests (KATs) are used to
exercise various features of the algorithm and their results are displayed on the console for your
reference. Conditional tests are performed whenever an RSA key pair is generated. These tests
verify the randomness of the deterministic random number generator (DRNG) and the
non-deterministic random number generator (non-DRNG). They also verify the consistency of RSA
keys with regard to signing and verification and encryption and decryption.
ATTENTION
FIPS mode, when enabled, is a chassis-wide setting that affects all logical switches. Once enabled,
FIPS mode cannot be disabled.
Zeroization functions
Zeroization functions can be performed at the discretion of the security administrator. These
functions clear the passwords and the shared secrets. Core files and FFDC data are also removed
upon FIPS Zeroization. Table 95 lists the various keys used in the system that will be zeroized in a
FIPS-compliant Fabric OS module.
TABLE 95 Zeroization behavior
Keys Zeroization CLI Description
DH private keys No command required Keys will be zeroized within code before they are
released from memory.
FCAP private key secCertUtil delete --fcapall
-nowarn
The secCertUtil delete --fcapall -nowarn command
removes all FCAP certificates and FCAP private keys.