HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 137

Table 40 Zeroization behavior (continued) Keys Zeroization CLI Passwords passwddefault fipscfg --zeroize TLS private keys seccertutil delkey TLS pre-master secret TLS session key TLS authentication key RADIUS secret No CLI required No CLI required No CLI required aaaconfig --remove Description This will remove user defined accounts in addition to default passwords for the root, admin, and user default accounts. However only root has permissions for this command. So securityadmin and admin roles need to use fipscfg --zeroize, which, in addition to removing user accounts and resetting passwords, also does the complete zerioization of the system. The command seccertutil delkey is used to zeroize these keys. Automatically zeroized on session termination Automatically zeroized on session termination Automatically zeroized on session termination The aaaconfig --remove command zeroizes the secret and deletes a configured server Power-up self tests The self tests are invoked by powering on the switch in FIPS mode and do not require any operator intervention. These power-up self tests perform power-on self-tests. If any KATs fail, the switch goes into a FIPS Error state which reboots the system to start the tests again. If the switch continues to fail the FIPS POST tests, you will need to boot into single-user mode and perform a recovery procedure to reset the switch. For more information on this procedure, see the Fabric OS Troubleshooting and Diagnostics Guide. Conditional tests These tests are for the random number generators and are executed to verify the randomness of the random number generator. The conditional tests are executed each time prior to using the random number provided by the random number generator. The results of all self-tests, for both power-up and conditional, are recorded in the system log or are output to the local console. This includes logging both passing and failing results. See the Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system cannot get out of the conditional test mode. FIPS mode By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled, before FIPS mode can be enabled. A set of prerequisites as mentioned in Table 41 must be satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted. KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail, the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For more information on how to fix this issue, see the Fabric OS Troubleshooting and Diagnostics Guide. Only FIPS compliant algorithms are run at this stage. Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode Root account Disabled Enabled Telnet/SSH access Only SSH Telnet and SSH Fabric OS 6.1.1 administrator guide 137