HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)

ManualsBrandsHP ManualsStorageHP 8/80 Base (48) Full Fabric Ports Enabled SAN Switch

151

152

153

154

155

156

157

158

159

160

154 Configuring advanced security features

10. Generate IP traffic and verify that it is protected using defined policies.

a. Initiate Telnet or SSH or ping session from BRCD300 to BRCD7500.

b. Verify that the IP traffic is encapsulated.

c. Monitor IPsec SAs created using IKE for the above traffic flow.

•Use the ipsecConfig -–show manual-sa –a command with the operands specified to

display the outbound and inbound SAs in the kernel SADB.

•Use the ipsecConfig –-show policy ips sa -a command with the specified operands

to display all IPsec SA policies.

•Use the ipsecConfig –-show policy ips sa-proposal –a command with the

specified operands to display IPsec proposals.

•Use the ipsecConfig –-show policy ips transform –a command with the specified

operands to display IPsec transforms.

•Use the ipsecConfig –-show policy ips selector –a command with the specified

operands to display IPsec traffic selectors.

•Use the ipsecConfig –-show policy ike –a command with the specified operands to

display IKE policies.

•Use the ipsecConfig –-flush manual-sa command with the specified operands to flush

the created SAs in the kernel SADB.

CAUTION: Flushing SAs requires IPsec to be disabled and re-enabled. This operation is disruptive

to traffic on the tunnel.

FIPS support

Federal information processing standards (FIPS) specify the security standards to be satisfied by a

cryptographic module utilized in Fabric OS 6.0.0 and later to protect sensitive information in the switch. As

part of FIPS 140-2 level 2 compliance passwords, shared secrets and the private keys used in SSL, TLS, and

system login need to be cleared out or zeroized. Power-up self tests (POSTs) are executed when the switch

is powered on to check for the consistency of the algorithms implemented in the switch. Known-answer-tests

(KATs) are used to exercise various features of the algorithm and their results are displayed on the console

for your reference. Conditional tests are performed whenever an RSA key pair is generated. These tests

verify that the randomness of the deterministic (DRNG) and non-deterministic random number generator

(non-DRNG). They also verify that the consistency of RSA keys with regard to signing and verification and

encryption and decryption.

IMPORTANT: When FIPS mode is enabled, this is a chassis-wide setting and affects all Logical Switches.

Zeroization functions

Explicit zeroization can be done at the discretion of the security administrator. These functions clear the

passwords and the shared secrets. The Table 42 lists the various keys used in the system that will be

zeroized in a FIPS-compliant Fabric OS module.

Table 42 Zeroization Behavior

Keys Zeroization CLI Description

DH Private keys No CLI required Keys will be zeroized within the code before they

are released from memory.

FCSP Challenge

Handshake

Authentication Protocol

(CHAP) Secret

secauthsecret

–-remove value

The secAuthSecret --remove value is used

to remove/zeroize the keys.

FCAP Private Key pkiremove The pkiCreate command creates the keys, and

pkiremove removes/zeroizes the keys.