HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 135

Table 39 Fabric merges with tolerant/absent combinations Fabric-wide consistency policy setting Fabric A Fabric B Expected behavior Tolerant/Absent SCC;DCC DCC SCC;DCC SCC DCC SCC Error message logged. Run fddCfg --fabwideset "" from any switch with the desired configuration to fix the conflict. The secPolicyActivate command is blocked until conflict is resolved. FIPS support Federal information processing standards (FIPS) specifies the security standards to be satisfied by a cryptographic module utilized in the Fabric OS to protect sensitive information in the switch. As part of FIPS 140-2 level 2 compliance passwords, shared secrets and the private keys used in SSL, TLS, and system login need to be cleared out or zeroized. Power-up self tests are executed when the switch is powered on to check for the consistency of the algorithms implemented in the switch. KATs are used to exercise various features of the algorithm and their results are displayed on the console for your reference. Conditional tests are performed whenever RSA key pair is generated. These tests verify the randomness of the deterministic and non-deterministic random number generator (DRNG and non-DRNG). They also verify the consistency of RSA keys with regard to signing and verification and encryption and decryption. Zeroization functions Explicit zeroization can be done at the discretion of the security administrator. These functions clear the passwords and the shared secrets. The following table lists the various keys used in the system that will be zeroized in a FIPS compliant FOS module. Table 40 Zeroization behavior Keys Zeroization CLI Description DH Private keys No CLI required FCSP Challenge Handshake Authentication Protocol (CHAP) Secret secauthsecret --remove FCAP Private Key pkiremove SSH Session Key No CLI required SSH RSA private Key No CLI required RNG Seed Key No CLI required Passwords passwddefault fipscfg --zeroize Keys will be zeroized within code before they are released from memory. The secauthsecret -remove is used to remove/zeroize the keys. The pkicreate command creates the keys, and 'pkiremove' removes/zeroizes the keys. This is generated for each SSH session that is established to and from the host. It automatically zeroizes on session termination. Key based SSH authentication is not used for SSH sessions. /dev/urandom is used as the initial source of seed for RNG. RNG seed key is zeroized on every random number generation. This will remove user defined accounts in addition to default passwords for the root, admin, and user default accounts. However only root has permissions for this command. So securityadmin and admin roles need to use fipscfg --zeroize which in addition to removing user accounts and resetting passwords, also does the complete zerioization of the system. Fabric OS 6.1.x administrator guide 135