HP A7533A HP StorageWorks Fabric OS 6.1.x administrator guide (5697-0234, Nove - Page 186
command, Configuring the switch for signed firmware, Power-on firmware checksum test
UPC - 829160830858
View all HP A7533A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 186 highlights
The firmwareDownload command As mentioned previously, the public key file will need to be packaged, installed, and run on your switch before downloading a signed firmware. When firmwareDownload installs a firmware file, it needs to validate the signature of the file. Different scenarios are handled as follows: a. If a firmware file does not have a signature, how it is handled depends on the "signed_firmware" parameter on the switch. If it is enabled, firmwareDownload will fail. Otherwise, firmwareDownload will display a warning message and proceed normally. So when downgrading to a non-FIPS compliant firmware, the "signed_firmware" flag needs to be disabled. b. If the firmware file has a signature but the validation fails, firmwareDownload will fail. This means the firmware is not from HP or its content has been modified. c. If the firmware file has a signature and the validation succeeds, firmwareDownload will proceed normally. DMM, and Third Party Application images will not be signed. Configuring the switch for signed firmware To configure the switch for signed firmware: 1. Log in to the switch as admin. 2. Type the configure command. 3. Respond to the prompts as follows: System Service Default is no; press Enter to select default setting. ssl attributes Default is no; press Enter to select default setting. snmp attributes Default is no; press Enter to select default setting. rpcd attributes Default is no; press Enter to select default setting. cfgload attributes Select Yes. The following questions are displayed: Enforce secure config Upload/Download: Select yes Webtools attributes System Enforce signed firmware download: Select yes Default is no; press Enter to select default setting. Default is no; press Enter to select default setting. Power-on firmware checksum test FIPS requires the checksums of the executables and libraries on the filesystem to be validated before Fabric OS modules are launched. This is to make sure these files have not been changed after they are installed. When firmware RPM packages are installed during firmwareDownload, the MD5 checksums of the firmware files are stored in the RPM database on the filesystem. This will go through all of the files in the RPM database. Every file compares its current checksum with the checksum that is in the RPM database. If they are different, the command will tell you. Because the validation may take up to a few minutes, it will not be performed during hot code load. It is only performed after a cold reboot of the switch. For more information on FIPS, see "Configuring advanced security features" on page 17. 186 Installing and maintaining firmware