622 Fabric OS Administrator’s Guide
53-1002745-02
Preparing a switch for FIPS
B
Overview of steps
1. Remove legacy OpenSSH DSA keys.
2. Optional: Configure the RADIUS server or the LDAP server.
3. Optional: Configure any authentication protocols.
4. For LDAP only: Install an SSL certificate on the Microsoft Active Directory server and a CA
certificate on the switch for using LDAP authentication.
5. Create separate IP filter policies for IPv4 and IPv6 and block access to Telnet (TCP port 23),
HTTP (TCP port 80), or RPC (TCP and UDP ports 897 and 898).
6. Set the SNMP security level to off.
7. Disable the boot PROM access.
8. Configure the switch for signed firmware.
9. Disable in-flight encryption.
10. Disable IPsec for Ethernet and IPsec for FCIP.
11. Disable in-band management.
12. Disable authspec modes if TACACS + authentication or non-PEAP radius are configured.
13. Disable root access.
14. Enable the KATs and the conditional tests.
15. Enable FIPS.
16. Perform zeroization as described in the section “Zeroizing for FIPS” on page 624.
Enabling FIPS mode
1. Log in to the switch using an account with securityadmin permissions.
2. Enter the sshutil delpubkeys and sshutil delprivkey commands to remove legacy OpenSSH DSA
keys.
These keys, which previously were the default keys, migrate to Fabric OS v7.0.0 but are no
longer supported in FIPS mode. You must remove these keys to remain FIPS compliant.
Support for RSA keys is retained. You can implement RSA keys using the sshutil command.
3. Optional: Select the appropriate authentication method based on your needs:
• If the switch is set for RADIUS, enter the aaaConfig --change or aaaConfig --remove
command to modify each server to use only PEAP-MSCHAPv2 as the authentication
protocol.
The RADIUS server must also be configured to use only PEAP-MSCHAPv2. Note that among
the Windows RADIUS servers supported, only Windows 2000-, Windows 2003, and
Windows 2008-based RADIUS servers may be used in a FIPS-compliant configuration.
• If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode” on
page 619.
To Next Page
Loading...
Need help?
General