Brocade Communications Systems 53-1001763-02 사용자 설명서
Fabric OS Administrator’s Guide
523
53-1001763-02
FIPS mode configuration
D
The results of all self-tests, for both power-up and conditional, are recorded in the system log or are
output to the local console. This includes logging both passing and failing results. Refer to the
Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system
cannot get out of the conditional test mode.
output to the local console. This includes logging both passing and failing results. Refer to the
Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system
cannot get out of the conditional test mode.
FIPS mode configuration
By default, the switch comes up in non-FIPS mode. You can run the fipsCfg
--
enable fips command
to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled
before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.
KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,
then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and
continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For
more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics
Guide
before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.
KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,
then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and
continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For
more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics
Guide
Only FIPS-compliant algorithms are run at this stage.
lists the Fabric OS feature and their
behavior in FIPS and non-FIPS mode.
TABLE 103
TABLE 103
FIPS mode restrictions
Features
FIPS mode
Non-FIPS mode
Configupload/ download/
supportsave/
firmwaredownload
supportsave/
firmwaredownload
SCP only
FTP and SCP
DH-CHAP/FCAP hashing
algorithms
algorithms
SHA-1
MD5 and SHA-1
HTTP/HTTPS access
HTTPS only
HTTP and HTTPS
HTTPS protocol/algorithms
TLS/AES128 cipher suite
TLS/AES128 cipher suite
(SSL will no longer be
supported)
(SSL will no longer be
supported)
IPsec
For FCIP IPSec the DH group 1 is
FIPS-compliant and is not blocked. Usage of
AES-XCBC, MD5 and DH group 0 and 1 are
blocked.
For IPSec (Ethernet), only MD5 is blocked in
FIPS mode.
FIPS-compliant and is not blocked. Usage of
AES-XCBC, MD5 and DH group 0 and 1 are
blocked.
For IPSec (Ethernet), only MD5 is blocked in
FIPS mode.
No restrictions
Radius auth protocols
PEAP-MSCHAPv2
CHAP, PAP, PEAP-MSCHAPv2
Root account
Disabled
Enabled
RPC/secure RPC access
Secure RPC only
RPC and secure RPC
Secure RPC protocols
TLS - AES128 cipher suite
SSL and TLS – all cipher suites
Signed firmware
Mandatory firmware signature validation.
Optional firmware signature
validation
validation
SNMP
Read-only operations
Read and write operations
SSH algorithms
HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
No restrictions
Telnet/SSH access
Only SSH
Telnet and SSH