HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

131

132

133

134

135

136

137

138

139

140

138 Configuring advanced security features

LDAP in FIPS mode

You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. Although, there

is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP

client checks if FIPS mode is set on the switch and uses the FIPS compliant TLS ciphers for LDAP. If the FIPS

mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS

compliant ciphers.

Table 42 lists the differences between FIPS and non-FIPS mode of operation.

SSH algorithms HMAC-SHA1 (mac)

3DES-CBC, AES128-CBC, AES192-CBC,

AES256-CBC (cipher suites)

No restrictions

HTTP/HTTPS access HTTPS only HTTP and HTTPS

HTTPS

protocol/algorithms

TLS/AES128 cipher suite TLS/AES128 cipher suite

(SSL will no longer be supported)

RPC/secure RPC

access

Secure RPC only RPC and secure RPC

Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites

SNMP Read-only operations Read and write operations

DH-CHAP/FCAP

hashing algorithms

SHA-1 MD5 and SHA-1

Signed firmware Mandatory firmware signature validation Optional firmware signature

validation

Configupload/

download/

supportsave/

firmwaredownload

SCP only FTP and SCP

IPsec Usage of AES-XCBC, MD5 and DH group 1

are blocked

No restrictions

Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2

Table 41 FIPS mode restrictions (continued)

Features FIPS mode Non-FIPS mode

Table 42 FIPS mode of operation

FIPS mode non-FIPS mode

The CA that issued the Microsoft Active Directory

server certificate must be installed on the switch.

There is no mandatory CA certificate installation

on the switch.

Configure FIPS compliant TLS ciphers [TDES-168, SHA1

and RSA-1024] on Microsoft Active Directory server.

The host needs a reboot for the changes to take effect.

On the Microsoft Active Directory server, there is

no configuration of the FIPS compliant TLS

ciphers.

The switch uses FIPS-compliant ciphers regardless of

Microsoft Active Directory server configuration. If the

Microsoft Active Directory server is not configured for

FIPS ciphers, authentication will still succeed.

The Microsoft Active Directory server certificate

is validated if the CA certificate is found on the

switch

The Microsoft Active Directory server certificate is

validated by the LDAP client. If the CA certificate is not

present on the switch, user authentication fails.

If Microsoft Active Directory server is configured

for FIPS ciphers and the switch is in non-FIPS

mode, user authentication succeeds.