Brocade Communications Systems 53-1002745-02 Marine Radio User Manual


  Open as PDF
of 666
 
620 Fabric OS Administrator’s Guide
53-1002745-02
FIPS mode configuration
B
4. Set up LDAP according to the instructions in “LDAP configuration and Microsoft Active
Directory” on page 162, and then perform the following additional Microsoft Active Directory
settings
a. To support FIPS-compliant TLS cipher suites on the Microsoft Active Directory server, allow
the SCHANNEL settings listed in Table 89.
b. Enable the FIPS algorithm policy on the Microsoft Active Directory.
LDAP certificates for FIPS mode
To utilize the LDAP services for FIPS between the switch and the host, you must generate a
certificate signing request (CSR) on the Active Directory server and import and export the CA
certificates. To support server certificate validation, it is essential to have the CA certificate
installed on the switch and Microsoft Active Directory server. Use the secCertUtil command to
import the CA certificate to the switch. This command will prompt for the remote IP and login
credentials to retrieve the CA certificate. The CA certificate should be in any of the standard
certificate formats, “.cer”, ”.crt,” or “.pem”.
LDAP CA certificate file names should not contain spaces when using the secCertUtil command to
import and export the certificate.
Importing an LDAP switch certificate
This procedure imports the LDAP CA certificate from the remote host to the switch.
1. Connect to the switch and log in using an account with admin permissions, or an account with
OM permissions for the PKI RBAC class of commands.
2. Enter the secCertUtil import -ldapcacert command.
Example of importing an LDAP certificate
switch:admin> seccertutil import -ldapcacert
Select protocol [ftp or scp]: scp
Enter IP address: 192.168.38.206
Enter remote directory: /users/aUser/certs
Enter certificate name (must have ".crt" or ".cer" ".pem" suffix):
LDAPTestCa.cer
Enter Login Name: aUser
Password: <hidden>
Success: imported certificate [LDAPTestCa.cer].
TABLE 89 Active Directory keys to modify
Key Sub-key
Ciphers 3DES
Hashes SHA1
Key exchange algorithm PKCS
Protocols TLSv1.0
 previous next