HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 158

LDAP in FIPS mode

Get HP StorageWorks 8/80 - SAN Switch PDF manuals and user guides View all HP StorageWorks 8/80 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 158 highlights

Only FIPS-compliant algorithms are run at this stage. Table 43 FIPS mode restrictions Features FIPS mode Non-FIPS mode Root account Telnet/SSH access SSH algorithms Disabled Only SSH • HMAC-SHA1 (mac) • 3DES-CBC, AES128-CBC, AES192-CBC, AES256-CBC (cipher suites) Enabled Telnet and SSH No restrictions HTTP/HTTPS access HTTPS protocol/algorithms HTTPS only TLS/AES128 cipher suite HTTP and HTTPS TLS/AES128 cipher suite (SSL will no longer be supported) RPC/secure RPC access Secure RPC protocols Secure RPC only TLS (AES128 cipher suite) RPC and secure RPC SSL and TLS (all cipher suites) SNMP DH-CHAP/FCAP hashing algorithms Read-only operations SHA-1 Read and write operations MD5 and SHA-1 Signed firmware Mandatory firmware signature validation. Configupload/ download/supports ave/ firmwaredownload SCP only Optional firmware signature validation FTP and SCP IPsec Radius auth protocols Usage of AES-XCBC, MD5, and DH group 0 and 1 is blocked. PEAP-MSCHAPv2 No restrictions CHAP, PAP, PEAP-MSCHAPv2 LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks whether FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers. Table 44 lists the differences between FIPS and non-FIPS modes of operation. Table 44 FIPS and non-FIPS modes of operation FIPS mode non-FIPS mode The CA who issued the Microsoft Active Directory server certificate must be installed on the switch. Configure FIPS compliant TLS ciphers [TDES-168, SHA1 and RSA-1024] on Microsoft Active Directory server. The host needs a reboot for the changes to take effect. There is no mandatory CA certificate installation on the switch. On the Microsoft Active Directory server, there is no configuration of the FIPS compliant TLS ciphers. The switch uses FIPS-compliant ciphers regardless of Microsoft Active Directory server configuration. If the Microsoft Active Directory server is not configured for FIPS ciphers, authentication will still succeed. The Microsoft Active Directory server certificate is validated by the LDAP client. If the CA certificate is not present on the switch, user authentication will fail. The Microsoft Active Directory server certificate is validated if the CA certificate is found on the switch If Microsoft Active Directory server is configured for FIPS ciphers and the switch is in non-FIPS mode, user authentication will succeed. 156 Configuring advanced security features

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
  • 177
  • 178
  • 179
  • 180
  • 181
  • 182
  • 183
  • 184
  • 185
  • 186
  • 187
  • 188
  • 189
  • 190
  • 191
  • 192
  • 193
  • 194
  • 195
  • 196
  • 197
  • 198
  • 199
  • 200
  • 201
  • 202
  • 203
  • 204
  • 205
  • 206
  • 207
  • 208
  • 209
  • 210
  • 211
  • 212
  • 213
  • 214
  • 215
  • 216
  • 217
  • 218
  • 219
  • 220
  • 221
  • 222
  • 223
  • 224
  • 225
  • 226
  • 227
  • 228
  • 229
  • 230
  • 231
  • 232
  • 233
  • 234
  • 235
  • 236
  • 237
  • 238
  • 239
  • 240
  • 241
  • 242
  • 243
  • 244
  • 245
  • 246
  • 247
  • 248
  • 249
  • 250
  • 251
  • 252
  • 253
  • 254
  • 255
  • 256
  • 257
  • 258
  • 259
  • 260
  • 261
  • 262
  • 263
  • 264
  • 265
  • 266
  • 267
  • 268
  • 269
  • 270
  • 271
  • 272
  • 273
  • 274
  • 275
  • 276
  • 277
  • 278
  • 279
  • 280
  • 281
  • 282
  • 283
  • 284
  • 285
  • 286
  • 287
  • 288
  • 289
  • 290
  • 291
  • 292
  • 293
  • 294
  • 295
  • 296
  • 297
  • 298
  • 299
  • 300
  • 301
  • 302
  • 303
  • 304
  • 305
  • 306
  • 307
  • 308
  • 309
  • 310
  • 311
  • 312
  • 313
  • 314
  • 315
  • 316
  • 317
  • 318
  • 319
  • 320
  • 321
  • 322
  • 323
  • 324
  • 325
  • 326
  • 327
  • 328
  • 329
  • 330
  • 331
  • 332
  • 333
  • 334
  • 335
  • 336
  • 337
  • 338
  • 339
  • 340
  • 341
  • 342
  • 343
  • 344
  • 345
  • 346
  • 347
  • 348
  • 349
  • 350
  • 351
  • 352
  • 353
  • 354
  • 355
  • 356
  • 357
  • 358
  • 359
  • 360
  • 361
  • 362
  • 363
  • 364
  • 365
  • 366
  • 367
  • 368
  • 369
  • 370
  • 371
  • 372
  • 373
  • 374
  • 375
  • 376
  • 377
  • 378
  • 379
  • 380
  • 381
  • 382
  • 383
  • 384
  • 385
  • 386
  • 387
  • 388
  • 389
  • 390
  • 391
  • 392
  • 393
  • 394
  • 395
  • 396
  • 397
  • 398
  • 399
  • 400
  • 401
  • 402
  • 403
  • 404
  • 405
  • 406
  • 407
  • 408
  • 409
  • 410
  • 411
  • 412
  • 413
  • 414
  • 415
  • 416
  • 417
  • 418
  • 419
  • 420
  • 421
  • 422
  • 423
  • 424
  • 425
  • 426
  • 427
  • 428
  • 429
  • 430
  • 431
  • 432
  • 433
  • 434
  • 435
  • 436
  • 437
  • 438
  • 439
  • 440
  • 441
  • 442
  • 443
  • 444
  • 445
  • 446
  • 447
  • 448
  • 449
  • 450
  • 451
  • 452
  • 453
  • 454
  • 455
  • 456
  • 457
  • 458
  • 459
  • 460
  • 461
  • 462
  • 463
  • 464
  • 465
  • 466
  • 467
  • 468
  • 469
  • 470
  • 471
  • 472
  • 473
  • 474
  • 475
  • 476
  • 477
  • 478
  • 479
  • 480
  • 481
  • 482
  • 483
  • 484
  • 485
  • 486
  • 487
  • 488
  • 489
  • 490
  • 491
  • 492
  • 493
  • 494
  • 495
  • 496
  • 497
  • 498
  • 499
  • 500
  • 501
  • 502
  • 503
  • 504
  • 505
  • 506
  • 507
  • 508
  • 509
  • 510
  • 511
  • 512
  • 513
  • 514
  • 515
  • 516
  • 517
  • 518
  • 519
  • 520
  • 521
  • 522
  • 523
  • 524
  • 525
  • 526
  • 527
  • 528
  • 529
  • 530
  • 531
  • 532
  • 533
  • 534
  • 535
  • 536
  • 537
  • 538
  • 539
  • 540
  • 541
  • 542
  • 543
  • 544
  • 545
  • 546
  • 547
  • 548
  • 549
  • 550
  • 551
  • 552
  • 553
  • 554
  • 555
  • 556
  • 557
  • 558
  • 559
  • 560
  • 561
  • 562
  • 563
  • 564
  • 565
  • 566
  • 567
  • 568
  • 569
  • 570
  • 571
  • 572
  • 573
  • 574
  • 575
  • 576
156
Configuring advanced security features
Only FIPS-compliant algorithms are run at this stage.
LDAP in FIPS mode
You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no
option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client
checks whether FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS
mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses
FIPS-compliant ciphers.
Table 44
lists the differences between FIPS and non-FIPS modes of operation.
Table 43
FIPS mode restrictions
Features
FIPS mode
Non-FIPS mode
Root account
Disabled
Enabled
Telnet/SSH access
Only SSH
Telnet and SSH
SSH algorithms
HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC,
AES192-CBC, AES256-CBC (cipher
suites)
No restrictions
HTTP/HTTPS access
HTTPS only
HTTP and HTTPS
HTTPS
protocol/algorithms
TLS/AES128 cipher suite
TLS/AES128 cipher suite
(SSL will no longer be supported)
RPC/secure RPC
access
Secure RPC only
RPC and secure RPC
Secure RPC protocols
TLS (AES128 cipher suite)
SSL and TLS (all cipher suites)
SNMP
Read-only operations
Read and write operations
DH-CHAP/FCAP
hashing algorithms
SHA-1
MD5 and SHA-1
Signed firmware
Mandatory firmware signature validation.
Optional firmware signature
validation
Configupload/
download/supports
ave/
firmwaredownload
SCP only
FTP and SCP
IPsec
Usage of AES-XCBC, MD5, and DH group
0 and 1 is blocked.
No restrictions
Radius auth protocols
PEAP-MSCHAPv2
CHAP, PAP, PEAP-MSCHAPv2
Table 44
FIPS and non-FIPS modes of operation
FIPS mode
non-FIPS mode
The CA who issued the Microsoft Active Directory
server certificate must be installed on the switch.
There is no mandatory CA certificate installation
on the switch.
Configure FIPS compliant TLS ciphers [TDES-168, SHA1
and RSA-1024] on Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.
On the Microsoft Active Directory server, there is
no configuration of the FIPS compliant TLS
ciphers.
The switch uses FIPS-compliant ciphers regardless of
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for
FIPS ciphers, authentication will still succeed.
The Microsoft Active Directory server certificate
is validated if the CA certificate is found on the
switch
The Microsoft Active Directory server certificate is
validated by the LDAP client. If the CA certificate is not
present on the switch, user authentication will fail.
If Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS
mode, user authentication will succeed.