HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 136

Power-up self tests, Conditional tests, FIPS mode

Get HP StorageWorks 8/80 - SAN Switch PDF manuals and user guides View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 136 highlights

Table 40 Zeroization behavior Keys Zeroization CLI TLS private keys seccertutil delkey TLS pre-master secret TLS session key TLS authentication key RADIUS secret No CLI required No CLI required No CLI required aaaconfig --remove Description The command seccertutil delkey is used to zeroize these keys. Automatically zeroized on session termination Automatically zeroized on session termination Automatically zeroized on session termination The aaaconfig --remove zeroizes the secret and deletes a configured server Power-up self tests The self tests are invoked by powering on the switch in FIPS mode and do not require any operator intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes into a FIPS Error state which reboots the system to start the tests again. If the switch continues to fail the FIPS POST tests, you will need to boot into single-user mode and perform a recovery procedure to reset the switch. For more information on this procedure, refer to the Fabric OS Troubleshooting and Diagnostics Guide. Conditional tests These tests are for the random number generators and are executed to verify the randomness of the random number generator. The conditional tests are executed each time prior to using the random number provided by the random number generator. The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console. This includes logging both passing and failing results. Refer to the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode. FIPS mode By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to enable FIPS mode, but you need to confgure the switch first. Self-tests mode must be enabled, before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail, then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics Guide. Only FIPS compliant algorithms will be run at this stage. Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode Root account Telnet/SSH access SSH algorithms HTTP/HTTPS access HTTPS protocol/algorithms Disabled Only SSH HMAC-SHA1 (mac) 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) HTTPS only TLS/AES128 cipher suite Enabled Telnet and SSH No restrictions HTTP and HTTPS TLS/AES128 cipher suite (SSL will no longer be supported) 136 Configuring advanced security features

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445
  • 446
  • 447
  • 448
  • 449
  • 450
  • 451
  • 452
  • 453
  • 454
  • 455
  • 456
  • 457
  • 458
  • 459
  • 460
  • 461
  • 462
  • 463
  • 464
  • 465
  • 466
  • 467
  • 468
  • 469
  • 470
  • 471
  • 472
  • 473
  • 474
  • 475
  • 476
  • 477
  • 478
  • 479
  • 480
  • 481
  • 482
  • 483
  • 484
  • 485
  • 486
  • 487
  • 488
  • 489
  • 490
  • 491
  • 492
136
Configuring advanced security features
Power-up self tests
The self tests are invoked by powering on the switch in FIPS mode and do not require any operator
intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes into a
FIPS Error state which reboots the system to start the tests again. If the switch continues to fail the FIPS POST
tests, you will need to boot into single-user mode and perform a recovery procedure to reset the switch. For
more information on this procedure, refer to the
Fabric OS Troubleshooting and Diagnostics Guide
.
Conditional tests
These tests are for the random number generators and are executed to verify the randomness of the
random number generator. The conditional tests are executed each time prior to using the random number
provided by the random number generator.
The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output
to the local console. This includes logging both passing and failing results.
Refer to the
Fabric OS Troubleshooting and Diagnostics Guide
for instructions on how to recover if your
system cannot get out of the conditional test mode.
FIPS mode
By default, the switch comes up in non-FIPS mode. You can run the fipsCfg
--
enable fips command to
enable FIPS mode, but you need to confgure the switch first. Self-tests mode must be enabled, before FIPS
mode can be enabled. A set of prerequisites as mentioned in the table below must be satisfied for the
system to enter FIPS mode.
To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful,
the switch enters FIPS mode. If KATs fail, then the switch reboots until the KATs succeed. If the switch cannot
enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the
reboot cycle. For more information on how to fix this issue, refer to the
Fabric OS Troubleshooting and
Diagnostics Guide
.
Only FIPS compliant algorithms will be run at this stage.
TLS private keys
seccertutil delkey
The command
seccertutil delkey
is used to
zeroize these keys.
TLS pre-master secret
No CLI required
Automatically zeroized on session termination
TLS session key
No CLI required
Automatically zeroized on session termination
TLS authentication key
No CLI required
Automatically zeroized on session termination
RADIUS secret
aaaconfig –-remove
The
aaaconfig --remove
zeroizes the secret
and deletes a configured server
Table 40
Zeroization behavior
Keys
Zeroization CLI
Description
Table 41
FIPS mode restrictions
Features
FIPS mode
Non-FIPS mode
Root account
Disabled
Enabled
Telnet/SSH access
Only SSH
Telnet and SSH
SSH algorithms
HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
No restrictions
HTTP/HTTPS access
HTTPS only
HTTP and HTTPS
HTTPS
protocol/algorithms
TLS/AES128 cipher suite
TLS/AES128 cipher suite
(SSL will no longer be supported)