HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, December 2009)
Fabric OS 6.1.1 administrator guide 143
Example:
switch:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]
…
cfgload attributes (yes, y, no, n): [no] yes
Enforce secure config Upload/Download (yes, y, no, n): [no]
Enforce firmware signature validation (yes, y, no, n): [no] yes
8. Issue the following command to block access to root:
userconfig --change root -e no
By disabling the root account, RADIUS and LDAP users with root roles are also blocked in FIPS mode.
9. Verify that your switch is FIPS ready:
fipscfg --verify fips
10. Issue the command fipsCfg --enable fips.
11. Reboot the switch.
Disabling FIPS mode
1. Log in to the switch using an account assigned the admin or securityAdmin role.
2. Issue the command fipsCfg
--disable fips.
3. Reboot the switch.
4. Enable the root account by following the bootprom:
userconfig --change root -e yes
5. Enable access to the bootprom:
fipscfg –-enable bootprom
6. Optional: Issue the configure command to set switch to use non-signed firmware.
By keeping the switch set to use signed firmware, all firmware downloaded to the switch will have to be
signed with a key. For more information, see ”Installing and maintaining firmware” on page 175.
7. Disable selftests by issuing the command:
fipscfg --disable selftests
8. Disable IPFilter policies that were created to enable FIPS.
9. Optional: Configure RADIUS server authentication protocol.
10. Reboot the switch.
Zeroizing for FIPS
1. Log in to the switch using an account assigned the admin or securityAdmin role.
2. Issue the command fipsCfg
--zeroize.
3. Reboot the switch.
Displaying FIPS configuration
1. Log in to the switch using an account assigned the admin or securityAdmin role.
2. Issue the command fipsCfg
--showall.
Enforce secure config Upload/Download Press Enter to accept default.
Enforce firmware signature validation Yes