Manualshelf

HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch
131132133134135136137138139140
136 Configuring advanced security features
FIPS support
Federal information processing standards (FIPS) specifies the security standards to be satisfied by a
cryptographic module utilized in the Fabric OS to protect sensitive information in the switch. As part of FIPS
140-2 level 2 compliance passwords, shared secrets and the private keys used in SSL, TLS, and system
login need to be cleared out or zeroized. Power-up self tests are executed when the switch is powered on to
check for the consistency of the algorithms implemented in the switch. Known Answer Tests (KATs) are used
to exercise various features of the algorithm and their results are displayed on the console for your
reference. Conditional tests are performed whenever RSA key pair is generated. These tests verify the
randomness of the deterministic and non-deterministic random number generator (DRNG and non-DRNG).
They also verify the consistency of RSA keys with regard to signing and verification and encryption and
decryption.
Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions clear the
passwords and the shared secrets. Table 40 lists the various keys used in the system that will be zeroized in
a FIPS compliant FOS module.
Table 39 Fabric merges with tolerant/absent combinations
Fabric-wide consistency policy setting Expected behavior
Fabric A Fabric B
Tolerant/Absent SCC;DCC Error message logged.
Run fddCfg --fabwideset
“<policy_ID>” from any switch
with the desired configuration to fix
the conflict. The
secPolicyActivate command
is blocked until conflict is resolved.
DCC
SCC;DCC SCC
DCC SCC
Table 40 Zeroization behavior
Keys Zeroization CLI Description
DH Private keys No CLI required Keys will be zeroized within code before they are
released from memory.
FCSP Challenge
Handshake
Authentication Protocol
(CHAP) Secret
secauthsecret –-remove The secauthsecret -remove is used to
remove/zeroize the keys.
FCAP Private Key
pkiremove
The pkicreate command creates the keys, and
'pkiremove' removes/zeroizes the keys.
SSH Session Key No CLI required This is generated for each SSH session that is
established to and from the host. It automatically
zeroizes on session termination.
SSH RSA private Key No CLI required Key based SSH authentication is not used for SSH
sessions.
RNG Seed Key No CLI required /dev/urandom is used as the initial source of seed
for RNG. RNG seed key is zeroized on every
random number generation.