HP StorageWorks 8/80 HP StorageWorks Fabric OS 6.2 administrator guide (5697-0 - Page 228

A different firmware key pair is created for digitally signed firmware releases. The private key file for the digitally signed firmware releases is used to sign released firmware, and the public key file is packaged inside these digitally signed firmware releases. NOTE: If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. Updating the firmwarekey 1. Log in to the switch as admin. 2. Enter the firmwareKeyUpdate command. 3. Respond to the prompts as follows: Server Name Enter the name or IP address of the FTP server, or SSH server for SCP, where the or IP Address firmwarekey file is stored; for example, 192.1.2.3. Download from USB Optional: -U (upper case) Specify this option if you want to download from the USB device attached to the active CP. Network protocol Specify the file transfer protocol used to download the firmware from the file server. Valid values are FTP and SCP. The Values are not case-sensitive. If "-p" is not specified, firmwareKeyUpdate will determine the protocol automatically by checking the config.security parameter on the switch. User name Enter the user name of your account on the server; for example, "JaneDoe". File name Specify the fully qualified path name of the firmware directory, for example, /pub/firmwarekey/pubkey.pem,12345. Absolute path names may be specified using forward slashes (/). Password Enter a password. This operand can be omitted if firmware is accessible through USB or if no password is required by the FTP server. This operand is required when accessing an SSH server. The firmwareDownload Command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: • If a firmware file does not have a signature, how it is handled depends on the "signed_firmware" parameter on the switch. If it is enabled, firmwareDownload will fail. Otherwise, firmwareDownload will display a warning message and proceed normally. So when downgrading to a non-FIPS compliant firmware, the "signed_firmware" flag needs to be disabled. • If the firmware file has a signature but the validation fails, firmwareDownload will fail. This means the firmware is not from HP for B-Series products or its content has been modified. • If the firmware file has a signature and the validation succeeds, firmwareDownload will proceed normally. Configuring the switch for signed firmware 1. Log in to the switch as admin. 2. Enter the configure command. 3. Respond to the prompts as follows: System Service ssl attributes Default is no; press Enter to select default setting. Default is no; press Enter to select default setting. snmp attributes Default is no; press Enter to select default setting. rpcd attributes Default is no; press Enter to select default setting. 226 Installing and maintaining firmware