HP StorageWorks Fabric OS 6.x administrator guide (5697-7344, March 2008)

ManualsBrandsHP ManualsStorageHP StorageWorks 4/32B SAN Switch

121

122

123

124

125

126

127

128

129

130

128 Configuring advanced security features

Zeroization functions

Explicit zeroization can be done at the discretion of the security administrator. These functions clear the

passwords and the shared secrets. The following table lists the various keys used in the system that will be

zeroized in a FIPS compliant FOS module.

Power-up self tests

The self tests are invoked by powering on the switch in FIPS mode and do not require any operator

intervention. These tests can also be invoked by the user through a CLI interface.

NOTE: Perform power-on self-tests. If any of KAT tests fail, the switch goes into a FIPS Error state which is

to reboot the system to single-user mode. You will need to perform a recovery procedure by booting into

single-user mode to recover the system.

Table 40 Zeroization behavior

Keys Zeroization CLI Description

DH Private keys No CLI required Keys will be zeroized within code before they are

released from memory.

FCSP Challenge

Handshake

Authentication Protocol

(CHAP) Secret

secauthsecret –-remove The secauthsecret -remove is used to

remove/zeroize the keys.

FCAP Private Key

pkiremove

The pkicreate command creates the keys, and

'pkiremove' removes/zeroizes the keys.

SSH Session Key No CLI required This is generated for each SSH session that is

established to and from the host. It automatically

zeroizes on session termination.

SSH RSA private Key No CLI required Key based SSH authentication is not used for SSH

sessions.

RNG Seed Key No CLI required /dev/urandom is used as the initial source of seed

for RNG. RNG seed key is zeroized on every

random number generation.

Passwords passwddefault

fipscfg –-zeroize

This will remove user defined accounts in addition

to default passwords for the root, admin, and user

default accounts. However only root has

permissions for this command. So securityadmin

and admin roles need to use fipscfg

–-zeroize which in addition to removing user

accounts and resetting passwords, also does the

complete zerioization of the system.

TLS private keys seccertutil delkey The command seccertutil delkey is used to

zeroize these keys.

TLS pre-master secret No CLI required Automatically zeroized on session termination

TLS session key No CLI required Automatically zeroized on session termination

TLS authentication key No CLI required Automatically zeroized on session termination

RADIUS secret aaaconfig –-remove The aaaconfig --remove zeroizes the secret

and deletes a configured server