Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsStorageHP 8/24 Base (16) Full Fabric Ports Enabled SAN Switch

561

562

563

564

565

566

567

568

569

570

Fabric OS Administrator’s Guide 521

53-1002148-02

Preparing the switch for FIPS

1. Connect to the switch and log in using an account with admin permissions, or an account with

OM permissions for the PKI RBAC class of commands.

2. Enter the secCertUtil show -ldapcacert command to determine the name of the LDAP

certificate file.

3. Enter the secCertUtil delete -ldapcacert <file_name> command, where the <file_name> is the

name of the LDAP certificate on the switch.

Example of deleting an LDAP CA certificate

switch:admin> seccertutil delete -ldapcacert swLdapca.pem

WARNING!!!

About to delete certificate: swLdapca.pem

ARE YOU SURE (yes, y, no, n): [no] y

Deleted LDAP certificate successfully

Preparing the switch for FIPS

It is important to prepare the switch for the following restrictions that exist in FIPS mode:

• The root account and all root-only functions are not available.

• HTTP, Telnet, RPC, and SNMP need to be disabled. Once these ports are blocked, you cannot

use them to read or write data from and to the switch.

• The configDownload and firmwareDownload commands using an FTP server are blocked.

See Table 87 on page 518 for a complete list of restrictions between FIPS and non-FIPS modes.

ATTENTION

You need the securityadmin and admin permissions to enable FIPS mode.

Overview of steps

• Remove legacy OpenSSH DSA keys.

• Optional: Configure the RADIUS server or the LDAP server.

• Optional: Configure any authentication protocols.

• For LDAP only: Install an SSL certificate on the Microsoft Active Directory server and a CA

certificate on the switch for using LDAP authentication.

• Ensure no filter policy rule permits access from Telnet, HTTP, or RPC.

• Create separate IP filter policies for IPv4 and IPv6 and block access to Telnet (TCP port 23),

HTTP (TCP port 80), or RPC (TCP and UDP ports 897 and 898).

• Undefined ports are blocked implicitly in FIPS mode.

• Set the SNMP security level to off.

• Disable the Boot PROM access.

• Configure the switch for signed firmware.

• Disable in-flight encryption.

• Disable IPsec for Ethernet and IPsec for FCIP.

• Disable in-band management.