Fabric OS Administrator’s Guide 523
53-1002446-01
FIPS mode configuration
C
The results of the POST and conditional tests are recorded in the system log or are output to the
local console. This action includes logging both passing and failing results. Refer to the Fabric OS
Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get
out of the conditional test mode.
FIPS mode configuration
By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips
command to enable FIPS mode, but you must configure the switch first. Self-test mode must be
enabled before FIPS mode can be enabled. A set of prerequisites (as shown in Table 86) must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. For
Backbones, either reboot both CPs, or power the chassis down and then up again. KATs are run on
the reboot. If the KATs are successful, the switch enters FIPS mode. If the KATs fail, then the switch
reboots until the KATs succeed. If the switch cannot enter FIPS mode and continues to reboot, you
must return the switch to your switch service provider. For information about how to prepare a
service provider case, refer to the Fabric OS Troubleshooting and Diagnostics Guide
When the switch successfully reboots in FIPS mode, only FIPS-compliant algorithms are run.
Table 86 lists Fabric OS features and their behaviors in FIPS and non-FIPS mode.
TABLE 86 FIPS mode restrictions
Features FIPS mode Non-FIPS mode
Configupload/ download/
supportsave/ firmwaredownload
SCP/SFTP only FTP and SCP/SFTP
DH-CHAP/FCAP hashing
algorithms
SHA-1 MD5 and SHA-1
HTTP/HTTPS access HTTPS only HTTP and HTTPS
HTTPS algorithms TLS/AES128 cipher suite TLS AES 128 cipher suite
IPsec Disabled No restrictions
LDAP CA CA certificate must be available. CA certificate is optional.
Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2
Root account Disabled Enabled
Signed firmware Mandatory firmware signature validation Optional firmware signature
validation
SNMP Read-only operations Read and write operations
SSH algorithms HMAC-SHA1 (MAC)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
No restrictions
SSH public keys RSA 1024 bit keys and RSA 2048 bit keys RSA 1024 bit keys, RSA 2048
bit keys, and DSA 1024 bit keys
Telnet/SSH access Only SSH Telnet and SSH
To Next Page
Loading...
Need help?
General