HP StorageWorks 8/24 HP StorageWorks Fabric OS 6.1.x administrator guide (5697 - Page 137
LDAP in FIPS mode
View all HP StorageWorks 8/24 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 137 highlights
Table 41 FIPS mode restrictions Features FIPS mode Non-FIPS mode RPC/secure RPC access Secure RPC protocols SNMP DH-CHAP/FCAP hashing algorithms Signed firmware Configupload/ download/ supportsave/ firmwaredownload IPsec Radius auth protocols Secure RPC only RPC and secure RPC TLS - AES128 cipher suite Read-only operations SHA-1 SSL and TLS - all cipher suites Read and write operations MD5 and SHA-1 Mandatory firmware signature validation SCP only Optional firmware signature validation FTP and SCP Usage of AES-XCBC, MD5 and DH group 1 No restrictions are blocked PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2 LDAP in FIPS mode You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. Although, there is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch and uses the FIPS compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS compliant ciphers. Table 42 lists the differences between FIPS and non-FIPS mode of operation. Table 42 FIPS mode of operation FIPS mode non-FIPS mode The CA who issued the Microsoft Active Directory server certificate must be installed on the switch. There is no mandatory CA certificate installation on the switch. Configure FIPS compliant TLS ciphers [TDES-168, SHA1 and RSA-1024] on Microsoft Active Directory server. The host needs a reboot for the changes to take effect. On the Microsoft Active Directory server, there is no configuration of the FIPS compliant TLS ciphers. The switch uses FIPS-compliant ciphers regardless of Microsoft Active Directory server configuration. If the Microsoft Active Directory server is not configured for FIPS ciphers, authentication will still succeed. The Microsoft Active Directory server certificate is validated if the CA certificate is found on the switch The Microsoft Active Directory server certificate is validated by the LDAP client. If the CA certificate is not present on the switch then user authentication will fail. If Microsoft Active Directory server is configured for FIPS ciphers and the switch is in non-FIPS mode then user authentication will succeed. To set up LDAP for FIPS mode: 1. Set the switch authentication mode and add your LDAP server by using the commands in the example below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the hostname parameter while configuring LDAP. Fabric OS 6.1.x administrator guide 137