Ldap In Fips Mode; Fips Mode Restrictions; Fips And Non-Fips Modes Of Operation - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 6.2 administrator guide (5697-0016, may 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (518 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Only FIPS-compliant algorithms are run at this stage.
Table 43
FIPS mode restrictions
Features
Root account
Telnet/SSH access
SSH algorithms
HTTP/HTTPS access
HTTPS
protocol/algorithms
RPC/secure RPC
access
Secure RPC protocols
SNMP
DH-CHAP/FCAP
hashing algorithms
Signed firmware
Configupload/
download/supports
ave/
firmwaredownload
IPsec
Radius auth protocols
LDAP in FIPS mode
You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. There is no
option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP client
checks whether FIPS mode is set on the switch and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS
mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses
FIPS-compliant ciphers.
Table 44
lists the differences between FIPS and non-FIPS modes of operation.
Table 44
FIPS and non-FIPS modes of operation
FIPS mode
The CA who issued the Microsoft Active Directory
server certificate must be installed on the switch.
Configure FIPS compliant TLS ciphers [TDES- 1 68, SHA1
and RSA- 1 024] on Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.
The switch uses FIPS-compliant ciphers regardless of
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for
FIPS ciphers, authentication will still succeed.
The Microsoft Active Directory server certificate is
validated by the LDAP client. If the CA certificate is not
present on the switch, user authentication will fail.
156 Configuring advanced security features
FIPS mode
Disabled
Only SSH
•
HMAC-SHA1 (mac)
•
3DES-CBC, AES128-CBC,
AES192-CBC, AES256-CBC (cipher
suites)
HTTPS only
TLS/AES128 cipher suite
Secure RPC only
TLS (AES128 cipher suite)
Read-only operations
SHA- 1
Mandatory firmware signature validation.
SCP only
Usage of AES-XCBC, MD5, and DH group
0 and 1 is blocked.
PEAP-MSCHAPv2
Non-FIPS mode
Enabled
Telnet and SSH
No restrictions
HTTP and HTTPS
TLS/AES128 cipher suite
(SSL will no longer be supported)
RPC and secure RPC
SSL and TLS (all cipher suites)
Read and write operations
MD5 and SHA- 1
Optional firmware signature
validation
FTP and SCP
No restrictions
CHAP, PAP, PEAP-MSCHAPv2
non-FIPS mode
There is no mandatory CA certificate installation
on the switch.
On the Microsoft Active Directory server, there is
no configuration of the FIPS compliant TLS
ciphers.
The Microsoft Active Directory server certificate
is validated if the CA certificate is found on the
switch
If Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS
mode, user authentication will succeed.
Hide quick links:
Advertisement
Table of Contents
