Filter
Top Products
624 Fabric OS Administrator’s Guide
53-1002745-02
Preparing a switch for FIPS
B
• System services: No
• cfgload attributes: Yes
• Enforce secure config Upload/Download: Press Enter to accept the default.
• Enforce firmware signature validation: Yes
Example
switch:admin> configure
Not all options will be available on an enabled switch.
To disable the switch, use the "switchDisable" command.
Configure...
System services (yes, y, no, n): [no]
…
cfgload attributes (yes, y, no, n): [no] yes
Enforce secure config Upload/Download (yes, y, no, n): [no]
Enforce firmware signature validation (yes, y, no, n): [no] yes
10. Enter the userConfig --change root -e no command to block access to the root account.
By disabling the root account, RADIUS and LDAP users with root permissions are also blocked
in FIPS mode.
11. Enter the portCfgEncrypt
--disable command to disable in-flight encryption. You must first
disable the port.
Example
myswitch:root> portdisable 0
myswitch:root> portcfgencrypt --disable 0
myswitch:root> portenable 0
12. Enter the ipSecConfig --disable command to disable Ethernet IPsec.
13. Disable IPsec for FCIP connections. The procedure depends on the type of extension blade
used.
For FX8-24 extension blades, enter the portCfg fciptunnel [slot/]port modify -ipsec 0
command.
14. Enter the portCfg
--mgmtif delete command to disable in-band management.
15. Enter the following command to disable to authspec mode if TACACS + authentication, PAP, or
CHAP are configured:
sw0:FID128:root> aaaconfig --authspec local
16. Enter the fipsCfg --enable selftests command to enable KAT and conditional tests on the
switch.
17. Enter the fipsCfg
--verify fips command to verify the switch is FIPS-ready.
18. Enter the fipsCfg
--enable fips command.
19. Reboot the switch. For a director, reboot both CPs.
Zeroizing for FIPS
1. Log in to the switch using an account with admin or securityadmin permissions, or a user
account with OM permissions for the FIPSCfg RBAC class of commands.
2. Enter the fipsCfg
--zeroize command.