HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
Fabric OS 6.1.1 administrator guide 137
Power-up self tests
The self tests are invoked by powering on the switch in FIPS mode and do not require any operator
intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes into a
FIPS Error state which reboots the system to start the tests again. If the switch continues to fail the FIPS POST
tests, you will need to boot into single-user mode and perform a recovery procedure to reset the switch. For
more information on this procedure, see the Fabric OS Troubleshooting and Diagnostics Guide.
Conditional tests
These tests are for the random number generators and are executed to verify the randomness of the
random number generator. The conditional tests are executed each time prior to using the random number
provided by the random number generator.
The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output
to the local console. This includes logging both passing and failing results.
See the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system
cannot get out of the conditional test mode.
FIPS mode
By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to
enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled, before FIPS
mode can be enabled. A set of prerequisites as mentioned in Table 41 must be satisfied for the system to
enter FIPS mode.
To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful,
the switch enters FIPS mode. If KATs fail, the switch reboots until the KATs succeed. If the switch cannot
enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the
reboot cycle. For more information on how to fix this issue, see the Fabric OS Troubleshooting and
Diagnostics Guide.
Only FIPS compliant algorithms are run at this stage.
Passwords passwddefault
fipscfg –-zeroize
This will remove user defined accounts in addition
to default passwords for the root, admin, and user
default accounts. However only root has
permissions for this command. So securityadmin
and admin roles need to use fipscfg
–-zeroize, which, in addition to removing user
accounts and resetting passwords, also does the
complete zerioization of the system.
TLS private keys seccertutil delkey The command seccertutil delkey is used to zeroize
these keys.
TLS pre-master secret No CLI required Automatically zeroized on session termination
TLS session key No CLI required Automatically zeroized on session termination
TLS authentication key No CLI required Automatically zeroized on session termination
RADIUS secret aaaconfig –-remove The aaaconfig --remove command zeroizes
the secret and deletes a configured server
Table 40 Zeroization behavior (continued)
Keys Zeroization CLI Description
Table 41 FIPS mode restrictions
Features FIPS mode Non-FIPS mode
Root account Disabled Enabled
Telnet/SSH access Only SSH Telnet and SSH