HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)
Fabric OS 6.2 administrator guide 159
Example of exporting an LDAP CA certificate
switch:admin> seccertutil export -ldapcacert
Select protocol [ftp or scp]: scp
Enter IP address: 192.168.38.206
Enter remote directory: /users/aUser/certs
Enter Login Name: aUser
Enter LDAP certificate name (must have ".pem" \ suffix):LDAPTestCa.cer
Password: <hidden>
Success: exported LDAP certificate
Deleting an LDAP switch certificate
This option deletes the LDAP CA certificate from the switch.
1. Connect to the switch and log in as admin.
2. Enter the secCertUtil delete -ldapcacert <file_name> command. Where the
<file_name> is the name of the LDAP certificate on the switch
Example of deleting an LDAP CA certificate
switch:admin> seccertutil delete -ldapcacert LDAPTestCa.pem
WARNING!!!
About to delete certificate: LDAPTestCa.cer
ARE YOU SURE (yes, y, no, n): [no] y
Deleted LDAP certificate successfully
Preparing the switch for FIPS
The following functions are blocked in FIPS mode. Therefore, it is important to prepare the switch by
disabling these functions prior to enabling FIPS:
• The root account and all root-only functions are not available.
• HTTP, Telnet, RPC, SNMP protocols need to be disabled. Once these are blocked, you cannot use these
protocols to read or write data from and to the switch.
• The configDownload and firmwareDownload commands using an FTP server are blocked.
See Table 43 on page 156 for a complete list of restrictions between FIPS and non-FIPS modes.
IMPORTANT: Only roles with SecurityAdmin and Admin can enable FIPS mode.
Overview of steps
1. Optional: Configure RADIUS server or LDAP server.
2. Optional: Configure authentication protocols.
3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the
switch for using LDAP authentication.
4. Block Telnet, HTTP, and RPC.
5. Disable BootProm access.
6. Configure the switch for signed firmware.
7. Disable root access.
8. Enable FIPS.