HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP DC04 SAN Director Switch

131

132

133

134

135

136

137

138

139

140

Fabric OS 6.x administrator guide 131

Preparing the switch for FIPS

The following functionalities are blocked in FIPS mode. Therefore, it is important to prepare the switch by

disabling these functionalities prior to enabling FIPS.

• The root account is blocked in FIPS mode. Therefore, all root only functionalities will not be available.

• HTTP, Telnet, RPC, SNMP protocols need to be disabled. Once these are blocked, you cannot use these

protocols to read or write data from and to the switch

• Configdownload and firmwaredownload using an FTP server will be blocked.

See Table 41 on page 130 for a complete list of restrictions between FIPS and non-FIPS mode.

IMPORTANT: Only roles with SecurityAdmin and Admin can enable FIPS mode.

Overview of steps

1. Optional: Configure RADIUS server

2. Optional: Configure authentication protocols

3. Block Telnet, HTTP, and RPC

4. Disable BootProm access

5. Configure the switch for signed firmware

6. Disable root access

7. Enable FIPS

To enable FIPS mode:

1. Log in to the switch using an account assigned the admin or securityAdmin role.

2. Optional: If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the

authentication protocol using the aaaconfig --change or aaaconfig --remove command.

3. Optional: Set the authentication protocols

a. Type the following command to set the hash type for MD5 which is used in authentication protocols

DHCHAP and FCAP:

authutil --set -h sha1

b. Set the DH group to 1 or 2 or 3 or 4 using authutil --set -g <n>, where the DH group is

represented by <n>.

4. Block Telnet, HTTP, and RPC using the ipfilter policy command.

You will need to create an IPFilter policy for each protocol.

a. Create an IP Filter rule for each protocol, see ”To create an IP Filter policy:” on page 116.

DH-CHAP/FCAP

hashing algorithms

SHA-1 MD5 and SHA-1

Signed firmware Mandatory firmware signature validation Optional firmware signature

validation

Configupload/

download/

supportsave/

firmwaredownload

SCP only FTP and SCP

IPsec Usage of AES-XCBC, MD5 and DH group 1

are blocked

No restrictions

Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2

Table 41 FIPS mode restrictions

Features FIPS mode Non-FIPS mode