Fips Support; Public And Private Key Management - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.x administrator guide (5697-0015, may 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
FIPS Support
Federal information processing standards (FIPS) specify the security standards needed to satisfy a
cryptographic module utilized within a security system for protecting sensitive information in the computer
and telecommunication systems. For more information about FIPS, refer to
features" on page 17.
The 6.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support. In order to use the
digitally signed software, you need to configure the switch to enable Signed Firmwaredownload. If it
is not enabled then the firmware download process will ignore the firmware signature and work as before.
If Signed Firmwaredownload is enabled, and if the validation succeeds, the firmware download
process will proceed normally. If the firmware is not signed or if the signature validation fails,
firmwaredownload will fail. So when you are downgrading to 5.3.0, you need to disable Signed
Firmwaredownload.
To enable or disable FIPS, refer to
Public and private key management
For signed firmware, we use RSA with 1024-bit length key pair. The Fabric OS requires a private key to
sign the firmware files. During firmwareDownload, the process requires the public key to validate the
signatures of the firmware files. So the public key needs to be stored on the switch beforehand. The
following describes how the key pairs will be managed for the current and future releases.
The switch manufacturer generates one private and public key pair. These key pairs are stored in the
privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The
public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the
switch. After it is downloaded, it can be used to validate the firmware to be downloaded next time.
The public key file on the switch contains only one public key. It is only able to validate firmware signed
using one corresponding private key. If the private key changes in the future releases, you change the
public key on the switch by one of the following method:
a. By using firmwareDownload. If the public key file on the switch has not been modified after it is
installed, when a new firmware is downloaded, firmwareDownload always replaces the public
key file on the switch with what is in the new firmware. This allows you to have planned firmware
key changes.
b. By using the firmwarekey command. This command retrieves a specified public key file from a
specific server location and replaces the one on the switch.
c. Refer to the latest Fabric OS release notes for information regarding firmware versions and their
corresponding public key files
If the public key file has been modified using the firmwarekey command, firmwareDownload will
not replace this file in the subsequent downloads because it thinks the change is intentional. The
user will need to use the firmwarekey command for subsequent updates of this file.
A different firmware key pair will be created for digitally signed firmware releases. The private key file for
the digitally signed firmware releases will be used to sign released firmware, and the public key file will be
packaged inside these digitally signed firmware releases.
NOTE:
If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol
should be SCP.
To update the firmwarekey:
1.
Log in to the switch as admin.
Type the firmwarekeyupdate command.
2.
"Configuring advanced security
"Configuring advanced security
features" on page 17.
Fabric OS 6.x administrator guide 177
Advertisement
Table of Contents
Troubleshooting
