HP AE370A HP StorageWorks Fabric OS 6.x administrator guide (5697-0015, May 20 - Page 177
FIPS Support
![]() |
UPC - 882780362611
View all HP AE370A manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 177 highlights
FIPS Support Federal information processing standards (FIPS) specify the security standards needed to satisfy a cryptographic module utilized within a security system for protecting sensitive information in the computer and telecommunication systems. For more information about FIPS, refer to "Configuring advanced security features" on page 17. The 6.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support. In order to use the digitally signed software, you need to configure the switch to enable Signed Firmwaredownload. If it is not enabled then the firmware download process will ignore the firmware signature and work as before. If Signed Firmwaredownload is enabled, and if the validation succeeds, the firmware download process will proceed normally. If the firmware is not signed or if the signature validation fails, firmwaredownload will fail. So when you are downgrading to 5.3.0, you need to disable Signed Firmwaredownload. To enable or disable FIPS, refer to "Configuring advanced security features" on page 17. Public and private key management For signed firmware, we use RSA with 1024-bit length key pair. The Fabric OS requires a private key to sign the firmware files. During firmwareDownload, the process requires the public key to validate the signatures of the firmware files. So the public key needs to be stored on the switch beforehand. The following describes how the key pairs will be managed for the current and future releases. The switch manufacturer generates one private and public key pair. These key pairs are stored in the privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the switch. After it is downloaded, it can be used to validate the firmware to be downloaded next time. The public key file on the switch contains only one public key. It is only able to validate firmware signed using one corresponding private key. If the private key changes in the future releases, you change the public key on the switch by one of the following method: a. By using firmwareDownload. If the public key file on the switch has not been modified after it is installed, when a new firmware is downloaded, firmwareDownload always replaces the public key file on the switch with what is in the new firmware. This allows you to have planned firmware key changes. b. By using the firmwarekey command. This command retrieves a specified public key file from a specific server location and replaces the one on the switch. c. Refer to the latest Fabric OS release notes for information regarding firmware versions and their corresponding public key files If the public key file has been modified using the firmwarekey command, firmwareDownload will not replace this file in the subsequent downloads because it thinks the change is intentional. The user will need to use the firmwarekey command for subsequent updates of this file. A different firmware key pair will be created for digitally signed firmware releases. The private key file for the digitally signed firmware releases will be used to sign released firmware, and the public key file will be packaged inside these digitally signed firmware releases. NOTE: If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol should be SCP. To update the firmwarekey: 1. Log in to the switch as admin. 2. Type the firmwarekeyupdate command. Fabric OS 6.x administrator guide 177
![](/manual_guide/products/hewlettpackard-ae370a-hp-storageworks-fabric-os-6x-administrator-guide-56970015-2009-6d92f40/177.png)