HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)

ManualsBrandsHP ManualsStorageHP 8/80 Base (48) Full Fabric Ports Enabled SAN Switch

151

152

153

154

155

156

157

158

159

160

156 Configuring advanced security features

Only FIPS-compliant algorithms are run at this stage.

LDAP in FIPS mode

You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no

option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client

checks whether FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS

mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses

FIPS-compliant ciphers.

Table 44 lists the differences between FIPS and non-FIPS modes of operation.

Table 43 FIPS mode restrictions

Features FIPS mode Non-FIPS mode

Root account Disabled Enabled

Telnet/SSH access Only SSH Telnet and SSH

SSH algorithms

• HMAC-SHA1 (mac)

• 3DES-CBC, AES128-CBC,

AES192-CBC, AES256-CBC (cipher

suites)

No restrictions

HTTP/HTTPS access HTTPS only HTTP and HTTPS

HTTPS

protocol/algorithms

TLS/AES128 cipher suite TLS/AES128 cipher suite

(SSL will no longer be supported)

RPC/secure RPC

access

Secure RPC only RPC and secure RPC

Secure RPC protocols TLS (AES128 cipher suite) SSL and TLS (all cipher suites)

SNMP Read-only operations Read and write operations

DH-CHAP/FCAP

hashing algorithms

SHA-1 MD5 and SHA-1

Signed firmware Mandatory firmware signature validation. Optional firmware signature

validation

Configupload/

download/supports

ave/

firmwaredownload

SCP only FTP and SCP

IPsec Usage of AES-XCBC, MD5, and DH group

0 and 1 is blocked.

No restrictions

Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2

Table 44 FIPS and non-FIPS modes of operation

FIPS mode non-FIPS mode

The CA who issued the Microsoft Active Directory

server certificate must be installed on the switch.

There is no mandatory CA certificate installation

on the switch.

Configure FIPS compliant TLS ciphers [TDES-168, SHA1

and RSA-1024] on Microsoft Active Directory server.

The host needs a reboot for the changes to take effect.

On the Microsoft Active Directory server, there is

no configuration of the FIPS compliant TLS

ciphers.

The switch uses FIPS-compliant ciphers regardless of

Microsoft Active Directory server configuration. If the

Microsoft Active Directory server is not configured for

FIPS ciphers, authentication will still succeed.

The Microsoft Active Directory server certificate

is validated if the CA certificate is found on the

switch

The Microsoft Active Directory server certificate is

validated by the LDAP client. If the CA certificate is not

present on the switch, user authentication will fail.

If Microsoft Active Directory server is configured

for FIPS ciphers and the switch is in non-FIPS

mode, user authentication will succeed.