HP A7533A HP StorageWorks Fabric OS 6.1.1 administrator guide (5697-0235, Dece - Page 142

Overview of steps 1. Optional: Configure RADIUS server 2. Optional: Configure authentication protocols 3. For LDAP only: Install SSL certificate on Microsoft Active Directory server and CA certificate on the switch for using LDAP authentication. 4. Block Telnet, HTTP, and RPC 5. Disable BootProm access 6. Configure the switch for signed firmware 7. Disable root access 8. Enable FIPS To enable FIPS mode: 1. Log in to the switch using an account assigned the admin or securityAdmin role. 2. Optional: Select the appropriate method based on your needs: • If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the authentication protocol, issuing the aaaConfig --change or aaaConfig --remove command. • If the switch is set for LDAP, see the instructions in "To set up LDAP for FIPS mode:" on page 139. 3. Optional: Set the authentication protocols. a. Issue the following command to set the hash type for MD5 which is used in authentication protocols DHCHAP and FCAP: authutil --set -h sha1 b. Set the DH group to 1 or 2 or 3 or 4, by issuing the command authUtil --set -g , where the DH group is represented by . 4. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. See the instructions "LDAP certificates for FIPS mode" on page 140. 5. Block Telnet, HTTP, and RPC by issuing the ipfilter policy command. You will need to create an IPFilter policy for each protocol. a. Create an IP filter rule for each protocol, see "Creating an IP Filter policy" on page 124. b. Add a rule to the IP filter policy. You can use the following modifications to the rule: ipfilter --addrule -rule -sip -dp -proto -act where: • -sip option can be given as any • -dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898 respectively • -proto option should be set to tcp c. Activate the IP filter policy, see "Activating an IP Filter policy" on page 125. d. Save the IP filter policy, see "Saving an IP Filter policy" on page 125. Example: ipfilter --createrule http_block_v4 --type ipv4 ipfilter --addrule http_block_v4 -rule 2 -sip any -dp 80 -proto tcp -act deny ipfilter --activate http_block_v4 ipfilter --save http_block_v4 6. Issue the following command to block access to the boot PROM: fipscfg --disable bootprom Block boot PROM access before disabling root account. 7. Enable signed firmware by issuing the configure command and responding to the prompts as follows: System services No cfgload attributes Yes 142 Configuring advanced security features