Home » HP Manuals » Storage Devices » HP 1606 » Manual Viewer

HP 1606 Fabric OS Administrator's Guide v6.4.0 (53-1001763-01, June 2010) - Page 563

FIPS mode configuration

Add to My Manuals
Save this manual to your list of manuals

Page 563 highlights

FIPS mode configuration D The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console. This includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode. FIPS mode configuration By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail, then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics Guide Only FIPS-compliant algorithms are run at this stage. Table 103 lists the Fabric OS feature and their behavior in FIPS and non-FIPS mode. TABLE 103 FIPS mode restrictions Features FIPS mode Non-FIPS mode Configupload/ download/ supportsave/ firmwaredownload DH-CHAP/FCAP hashing algorithms HTTP/HTTPS access HTTPS protocol/algorithms IPsec Radius auth protocols Root account RPC/secure RPC access Secure RPC protocols Signed firmware SNMP SSH algorithms Telnet/SSH access SCP only FTP and SCP SHA-1 MD5 and SHA-1 HTTPS only TLS/AES128 cipher suite For FCIP IPSec the DH group 1 is FIPS-compliant and is not blocked. Usage of AES-XCBC, MD5 and DH group 0 and 1 are blocked. For IPSec (Ethernet), only MD5 is blocked in FIPS mode. PEAP-MSCHAPv2 Disabled Secure RPC only TLS - AES128 cipher suite Mandatory firmware signature validation. Read-only operations HMAC-SHA1 (mac) 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) Only SSH HTTP and HTTPS TLS/AES128 cipher suite (SSL will no longer be supported) No restrictions CHAP, PAP, PEAP-MSCHAPv2 Enabled RPC and secure RPC SSL and TLS - all cipher suites Optional firmware signature validation Read and write operations No restrictions Telnet and SSH Fabric OS Administrator's Guide 523 53-1001763-01

Section	Page
Contents	5
Figures	25
Tables	29
About This Document	33
In this chapter	33
How this document is organized	33
Supported hardware and software	34
What’s new in this document	35
Document conventions	35
Text formatting	36
Command syntax conventions	36
Notes, cautions, and warnings	36
Key terms	37
Notice to the reader	37
Additional information	37
Brocade resources	37
Other industry resources	38
Getting technical help	38
Document feedback	39
Understanding Fibre Channel Services	43
In this chapter	43
Fibre Channel services overview	43
The Management Server	44
Platform services	44
Platform services in a Virtual Fabric	45
Enabling platform services	45
Disabling platform services	45
Management server database	45
Displaying the management server ACL	46
Adding a member to the ACL	46
Deleting a member from the ACL	47
Viewing the contents of the management server database	48
Clearing the management server database	48
Topology discovery	49
Displaying topology discovery status	49
Enabling topology discovery	49
Disabling topology discovery	49
Device login	50
Principal switch	50
E_Port login	50
Fabric login	51
Port login process	51
RSCN causes	52
High availability of daemon processes	52
Performing Basic Configuration Tasks	55
In this chapter	55
Fabric OS overview	55
Fabric OS command line interface	56
Console sessions using the serial port	56
Telnet or SSH sessions	57
Getting help on a command	58
Password modification	58
Default account passwords	59
The Ethernet interface on your switch	60
Virtual Fabrics and the Ethernet interface	60
Displaying the network interface settings	61
Static Ethernet addresses	62
DHCP activation	63
IPv6 autoconfiguration	64
Date and time settings	65
Setting the date and time	65
Time zone settings	66
Network time protocol	67
Domain IDs	68
Displaying the domain IDs	69
Setting the domain ID	70
Switch names	70
Customizing the switch name	70
Chassis names	71
Customizing chassis names	71
Switch activation and deactivation	71
Disabling a switch	71
Enabling a switch	71
Switch and enterprise-class platform shutdown	71
Powering off a Brocade switch	72
Powering off a Brocade enterprise-class platform	72
Basic connections	73
Device connection	73
Switch connection	73
Performing Advanced Configuration Tasks	75
In this chapter	75
PIDs and PID binding overview	75
Core PID addressing mode	76
Fixed addressing mode	76
10-bit addressing mode	76
256-area addressing mode	77
WWN-based PID assignment	77
Ports	79
Setting port names	81
Port identification by slot and port number	81
Port identification by port area ID	81
Port identification by index	81
Swapping port area IDs	82
Port activation and deactivation	82
Setting port speeds	83
Setting the same speed for all ports on the switch	84
Blade terminology and compatibility	84
CP blades	86
Core blades	86
Port and application blade compatibility	86
FX8-24 compatibility notes	88
Enabling and disabling blades	88
Enabling blades	88
Disabling blades	90
Blade swapping	90
Swapping blades	91
Swapping blades	92
Power management	93
Powering off a port blade	93
Powering on a port blade	93
Equipment status	94
Checking switch operation	94
Verifying High Availability features (directors and enterprise-class platforms only)	94
Verifying fabric connectivity	95
Verifying device connectivity	95
Track and control switch changes	96
Enabling the track changes feature	96
Displaying the status of the track changes feature	97
Viewing the switch status policy threshold values	97
Setting the switch status policy threshold values	97
Audit log configuration	99
Auditable event classes	100
Verifying host syslog prior to configuring the audit log	100
Configuring an audit log for specific event classes	101
Routing Traffic	103
About this chapter	103
Routing overview	103
Path versus route selection	104
FSPF	104
Fibre Channel NAT	105
Inter-switch links	106
Buffer credits	107
Virtual Channels	107
Gateway links	109
Configuring a link through a gateway	110
Inter-chassis links	111
Supported topologies	112
Routing policies	113
Displaying the current routing policy	114
Exchange-based routing	114
Port-based routing	114
AP route policy	115
Routing in Virtual Fabrics	115
Route selection	116
Dynamic Load Sharing	116
Static route assignment	117
Frame order delivery	118
Forcing in-order frame delivery across topology changes	118
Restoring out-of-order frame delivery across topology changes	118
Lossless Dynamic Load Sharing on ports	119
Lossless core	120
Configuring Lossless Dynamic Load Sharing	120
Lossless Dynamic Load Sharing in Virtual Fabrics	120
Frame Redirection	121
Creating a frame redirect zone	122
Deleting a frame redirect zone	122
Viewing redirect zones	122
Managing User Accounts	123
In this chapter	123
User accounts overview	123
Role-Based Access Control (RBAC)	124
The management channel	127
Local database user accounts	128
Default accounts	128
Local account passwords	129
Local account database distribution	130
Distributing the local user database	130
Accepting distribution of user databases on the local switch	130
Rejecting distributed user databases on the local switch	130
Password policies	131
Password strength policy	131
Password history policy	132
Password expiration policy	133
Account lockout policy	133
The boot PROM password	135
Setting the boot PROM password for a switch with a recovery string	135
Setting the boot PROM password for a director with a recovery string	136
Setting the boot PROM password for a switch without a recovery string	137
Setting the boot PROM password for a director without a recovery string	138
The authentication model using RADIUS and LDAP	139
Setting the switch authentication mode	141
Fabric OS user accounts	141
Fabric OS users on the RADIUS server	142
The RADIUS server	145
LDAP configuration and Microsoft Active Directory	151
Authentication servers on the switch	154
Configuring local authentication as backup	155
Configuring Protocols	157
In this chapter	157
Security protocols	157
Secure Copy	158
Setting up SCP for configUploads and downloads	159
Secure Shell protocol	159
SSH public key authentication	160
Secure Sockets Layer protocol	162
Browser and Java support	162
SSL configuration overview	163
Certificate authorities	163
The browser	165
Root certificates for the Java Plug-in	166
Simple Network Management Protocol	167
SNMP and Virtual Fabrics	168
The security level	169
The snmpConfig command	169
Telnet protocol	169
Blocking Telnet	169
Unblocking Telnet	170
Listener applications	171
Ports and applications used by switches	171
Port configuration	172
Configuring Security Policies	173
In this chapter	173
ACL policies overview	173
How the ACL policies are stored	173
Policy members	174
ACL policy management	174
Displaying ACL policies	175
Saving changes without activating the policies	175
Activating policy changes	175
Deleting an ACL policy	175
Adding a member to an existing ACL policy	176
Removing a member from an ACL policy	176
Aborting unsaved policy changes	176
FCS policies	177
FCS policy restrictions	177
Ensuring fabric domains share policies	178
Creating an FCS policy	178
Modifying the order of FCS switches	179
FCS policy distribution	179
DCC policies	180
DCC policy restrictions	181
Creating a DCC policy	181
Deleting a DCC policy	182
SCC policies	183
Creating an SCC policy	183
Authentication policy for fabric elements	184
E_Port authentication	185
Device authentication policy	187
AUTH policy restrictions	187
Authentication protocols	188
Secret key pairs for DH-CHAP	189
FCAP configuration overview	190
Fabric-wide distribution of the Auth policy	193
IP Filter policy	193
Creating an IP Filter policy	193
Cloning an IP Filter policy	194
Displaying an IP Filter policy	194
Saving an IP Filter policy	194
Activating an IP Filter policy	194
Deleting an IP Filter policy	195
IP Filter policy rules	195
IP Filter policy enforcement	197
Adding a rule to an IP Filter policy	197
Deleting a rule to an IP Filter policy	197
Aborting an IP Filter transaction	197
IP Filter policy distribution	198
Policy database distribution	198
Database distribution settings	199
ACL policy distribution to other switches	200
Fabric-wide enforcement	200
Notes on joining a switch to the fabric	202
Management interface security	204
Configuration examples	205
IPsec protocols	206
Security associations	207
Authentication and encryption algorithms	207
IPsec policies	208
IKE policies	209
Creating the tunnel	210
Example of an End-to-End Transport Tunnel mode	212
Maintaining the Switch Configuration File	215
In this chapter	215
Configuration settings	215
Configuration file format	216
Configuration file backup	218
Uploading a configuration file in interactive mode	219
Configuration file restoration	220
Restrictions	220
Configuration download without disabling a switch	222
Configurations across a fabric	224
Downloading a configuration file from one switch to another same model switch	224
Security considerations	224
Configuration management for Virtual Fabrics	224
Uploading a configuration file from a switch with Virtual Fabrics enabled	225
Restoring logical switch configuration using configDownload	225
Restrictions	226
Brocade configuration form	227
Installing and Maintaining Firmware	229
In this chapter	229
Firmware download process overview	229
Upgrading and downgrading firmware	230
Considerations for FICON CUP environments	231
HA sync state	231
Preparing for a firmware download	232
Connected switches	233
Finding the switch firmware version	233
Obtain and decompress firmware	233
Firmware download on switches	234
Switch firmware download process overview	234
Firmware download on an enterprise-class platform	236
Enterprise-class platform firmware download process overview	236
Firmware download from a USB device	240
Enabling USB	240
Viewing the USB file system	240
Downloading from USB using the relative path	240
Downloading from USB using the absolute path	240
FIPS Support	241
Public and Private Key Management	241
The firmwareDownload Command	241
Power-on Firmware Checksum Test	242
Test and restore firmware on switches	243
Testing a different firmware version on a switch	243
Test and restore firmware on enterprise-class platforms	244
Testing different firmware versions on enterprise-class platforms	245
Validating a firmware download	247
Managing Virtual Fabrics	249
In this chapter	249
Virtual Fabrics overview	249
Logical switch overview	250
Default logical switch	250
Logical switches and fabric IDs	252
Port assignment in logical switches	252
Logical switches and connected devices	253
Logical fabric overview	254
Logical fabric and ISLs	255
Logical fabric and ISL sharing	256
Management model for logical switches	259
Account management and Virtual Fabrics	260
Supported platforms for Virtual Fabrics	260
Supported port configurations in the Brocade 5100, 5300, and VA-40FC	260
Supported port configurations in the Brocade DCX and DCX-4S	261
Virtual Fabrics interaction with other Fabric OS features	261
Limitations and restrictions of Virtual Fabrics	262
Restrictions on moving ports	263
Enabling Virtual Fabrics mode	263
Disabling Virtual Fabrics mode	264
Configuring logical switches to use basic configuration values	265
Creating a logical switch or base switch	265
Executing a command in a different logical fabric context	267
Deleting a logical switch	268
Adding and removing ports on a logical switch	269
Displaying logical switch configuration	270
Changing the fabric ID of a logical switch	270
Changing a logical switch to a base switch	271
Setting up IP addresses for a Virtual Fabric	272
Removing an IP address for a Virtual Fabric	272
Configuring a logical switch to use XISLs	272
Changing the context to a different logical fabric	273
Creating a logical fabric using XISLs	274
Administering Advanced Zoning	277
In this chapter	277
Special zones	277
Zoning overview	278
Zone types	279
Zone objects	280
Zone aliases	281
Zone configurations	282
Zoning enforcement	282
Considerations for zoning architecture	283
Best practices for zoning	284
Broadcast zones	284
Broadcast zones and Admin Domains	284
Broadcast zones and FC-FC routing	285
High availability considerations with broadcast zones	286
Loop devices and broadcast zones	286
Broadcast zones and default zoning	286
Zone aliases	286
Creating an alias	286
Adding members to an alias	287
Removing members from an alias	287
Deleting an alias	288
Viewing an alias in the defined configuration	288
Zone creation and maintenance	289
Creating a zone	289
Adding devices (members) to a zone	289
Removing devices (members) from a zone	290
Deleting a zone	290
Viewing a zone in the defined configuration	291
Validating a zone	291
Default zoning mode	292
Setting the default zoning mode	292
Viewing the current default zone access mode	293
Zoning database size	293
Zoning configurations	293
Creating a zoning configuration	294
Adding zones (members) to a zoning configuration	294
Removing zones (members) from a zone configuration	295
Enabling a zone configuration	295
Disabling a zone configuration	296
Deleting a zone configuration	296
Clearing changes to a configuration	297
Viewing all zone configuration information	297
Viewing selected zone configuration information	298
Viewing the configuration in the effective zone database	298
Clearing all zone configurations	298
Zone object maintenance	299
Copying a zone object	299
Deleting a zone object	299
Renaming a zone object	300
Zoning configuration management	301
New switch or fabric additions	301
Fabric segmentation and zoning	303
Security and zoning	303
Zone merging scenarios	304
Traffic Isolation Zoning	307
In this chapter	307
Traffic Isolation Zoning overview	307
TI zone failover	308
FSPF routing rules and traffic isolation	310
Enhanced TI zones	312
Traffic Isolation Zoning over FC routers	313
TI within an edge fabric	314
TI within a backbone fabric	315
Limitations of TI zones over FC routers	316
General rules for TI zones	316
Supported configurations for Traffic Isolation Zoning	317
Additional configuration rules for enhanced TI zones	318
Trunking with TI zones	318
Limitations and restrictions of Traffic Isolation Zoning	318
Admin Domain considerations for Traffic Isolation Zoning	319
Virtual Fabric considerations for Traffic Isolation Zoning	319
Traffic Isolation Zoning over FC routers with Virtual Fabrics	321
Creating a TI zone	322
Creating a TI zone in a base fabric	324
Modifying TI zones	324
Changing the state of a TI zone	325
Deleting a TI zone	326
Displaying TI zones	326
Setting up TI over FCR (sample procedure)	327
Administering NPIV	331
In this chapter	331
NPIV overview	331
Upgrade considerations	332
Fixed addressing mode	332
10-bit addressing mode	332
Configuring NPIV	333
Enabling and disabling NPIV	334
Viewing NPIV port configuration information	334
Viewing virtual PID login information	336
Interoperability for Merged SANs	337
In this chapter	337
Interoperability overview	337
Connectivity solutions	338
Domain ID offset modes	339
Configuring the Domain_ID offset	341
McDATA Fabric mode configuration restrictions	341
McDATA Open Fabric mode configuration restrictions	342
Interoperability support for logical switches	342
Switch configurations for interoperability	343
Enabling McDATA Open Fabric mode	343
Enabling McDATA Fabric mode	344
Enabling Brocade Native mode	345
Zone management in interoperable fabrics	346
Zoning restrictions	346
Zone name restrictions	347
Zoning modes	347
Setting the safe zone mode on a stand-alone switch	348
Setting the safe zone mode fabric-wide	348
Disabling safe zone mode	348
Effective zone configuration	349
Saving the effective zone configuration to the Defined Database	349
Frame Redirection in interoperable fabrics	350
Traffic Isolation zones in interoperable fabrics	350
Brocade SANtegrity implementation in mixed fabric SANS	351
Fabric OS Layer 2 Fabric Binding	351
E_Port authentication between Fabric OS and M-EOS switches	351
Switch authentication policy	353
Dumb switch authentication	355
Authentication of EX_Port, VE_Port, and VEX_Port connections	356
Authentication of VE_Port-to-VE_Port connections	357
Authentication of VEX_Port-to-VE_Port connections	360
Authentication of VEX_Port-to-VEX_Port connections	361
FCR SANtegrity	361
Fabric Binding behavior in a mixed fabric	362
Translate domains do not have Preferred or Insistent Domain ID behavior.	362
Configuring the preferred domain ID and the insistent domain ID	362
FICON implementation in a mixed fabric	363
Fabric OS version change restrictions in an interoperable environment	363
Coordinated Hot Code Load	364
Bypassing the Coordinated HCL check on firmware download	364
Coordinated HCL on switches firmware downloads	365
Upgrade and downgrade considerations for HCL for interoperability	365
McDATA-aware features	365
McDATA-unaware features	366
M-EOS feature limitations in mixed fabrics	368
Supported hardware in an interoperable environment	369
Supported features in an interoperable environment	371
Unsupported features in an interoperable environment	374
Managing Administrative Domains	375
In this chapter	375
Administrative Domains overview	375
Admin Domain features	377
Requirements for Admin Domains	377
Admin Domain access levels	378
User-defined Administrative Domains	378
System-defined Administrative Domains	378
Admin Domains and login	380
Admin Domain member types	381
Admin Domains and switch WWN	382
Admin Domain compatibility, availability, and merging	384

Match case Limit results 1 per page

Fabric OS Administrator’s Guide

523

53-1001763-01

FIPS mode configuration

The results of all self-tests, for both power-up and conditional, are recorded in the system log or are

output to the local console. This includes logging both passing and failing results. Refer to the

Fabric OS Troubleshooting and Diagnostics Guide

for instructions on how to recover if your system

cannot get out of the conditional test mode.

FIPS mode configuration

By default, the switch comes up in non-FIPS mode. You can run the

fipsCfg

enable fips

command

to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled

before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be

satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.

KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,

then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and

continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For

more information on how to fix this issue, refer to the

Fabric OS Troubleshooting and Diagnostics

Guide

Only FIPS-compliant algorithms are run at this stage.

Table 103

lists the Fabric OS feature and their

behavior in FIPS and non-FIPS mode.

TABLE 103

FIPS mode restrictions

Features

FIPS mode

Non-FIPS mode

Configupload/ download/

supportsave/

firmwaredownload

SCP only

FTP and SCP

DH-CHAP/FCAP hashing

algorithms

SHA-1

MD5 and SHA-1

HTTP/HTTPS access

HTTPS only

HTTP and HTTPS

HTTPS protocol/algorithms

TLS/AES128 cipher suite

(SSL will no longer be

supported)

IPsec

For FCIP IPSec the DH group 1 is

FIPS-compliant and is not blocked. Usage of

AES-XCBC, MD5 and DH group 0 and 1 are

blocked.

For IPSec (Ethernet), only MD5 is blocked in

FIPS mode.

No restrictions

Radius auth protocols

PEAP-MSCHAPv2

CHAP, PAP, PEAP-MSCHAPv2

Root account

Disabled

Enabled

RPC/secure RPC access

Secure RPC only

RPC and secure RPC

Secure RPC protocols

TLS - AES128 cipher suite

SSL and TLS – all cipher suites

Signed firmware

Mandatory firmware signature validation.

Optional firmware signature

validation

SNMP

Read-only operations

Read and write operations

SSH algorithms

HMAC-SHA1 (mac)

3DES-CBC, AES128-CBC, AES192-CBC,

AES256-CBC (cipher suites)

No restrictions

Telnet/SSH access

Only SSH

Telnet and SSH