HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch

121

122

123

124

125

126

127

128

129

130

130 Configuring advanced security features

loading kernel

kjournald starting. Commit interval 5 seconds

EXT3-fs: mounted filesystem with ordered data mode.

VFS: Mounted root (ext3 filesystem) readonly.

Trying to move old root to /initrd ... okay

Freeing unused kernel memory: 108k init

INIT: version 2.78 booting

sh-2.04#

5. On all platforms, from the shell prompt, enter the following commands:

mount -o remount,rw,noatime /

mount /dev/hda2 /mnt

6. Verify the FIPS configuration by typing the following at the command prompt:

/fabos/abin/fipscfg --showall

7. If FIPS mode is 'Enabled', reset it by typing the following at the command prompt:

/fabos/abin/fipscfg --disable fips

8. If Selftests mode is Enabled/None or Enabled/Pass or Enabled/Failed, reset it by typing the following

at the command prompt:

fipscfg --disable selftests

9. Reboot the active system by typing the reboot command.

10. Login to the switch or Active CP as admin or securityAdmin, and verify that the FIPS and SELFTESTS

modes have been reset by typing the fipscfg --showall command.

11. On dual CP systems, reboot the standby CP and ensure that the system comes up.

FIPS mode

By default, the switch will come up non-FIPS mode. You can run the command fipscfg --enable, to

enable FIPS mode. Self-tests mode needs to be enabled, before FIPS mode can be enabled. A set of

pre-requisites as mentioned in the table below needs to be satisfied for the system to enter FIPS mode. See

the Fabric OS Command Reference Manual for additional FIPS related commands.

To be FIPS-compliant, the switch needs to be rebooted. KATs will be run on the reboot. If the KATs are

successful, the switch will enter FIPS mode. If KATs fail, then the switch will reboot until the KATs succeed.

You will need to access the switch in single-user mode to break the reboot cycle.

Only FIPS compliant algorithms will be run at this stage.

Table 41 FIPS mode restrictions

Features FIPS mode Non-FIPS mode

Root account Disabled Enabled

Telnet/SSH access Only SSH Telnet and SSH

SSH algorithms HMAC-SHA1 (mac)

3DES-CBC, AES128-CBC, AES192-CBC,

AES256-CBC (cipher suites)

No restrictions

HTTP/HTTPS access HTTPS only HTTP and HTTPS

HTTPS

protocol/algorithms

TLS/AES128 cipher suite TLS/AES128 cipher suite

(SSL will no longer be supported)

RPC/secure RPC

access

Secure RPC only RPC and secure RPC

Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites

SNMP Read-only operations Read and write operations