Updating The Firmwarekey - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

The switch manufacturer generates one private and public key pair. These key pairs are stored in the
privatekey.pem and pubkey.pem files, respectively. The private key file is used to sign the firmware files. The
public key file is packaged in an RPM-package as part of the firmware, and will be downloaded to the
switch. After it is downloaded, it can be used to validate the firmware to be downloaded next time.
The public key file on the switch contains only one public key. It is only able to validate firmware signed
using one corresponding private key. If the private key changes in the future releases, you can change the
public key on the switch by one of the following methods:
a. By using firmwareDownload. If the public key file on the switch has not been modified after it is
installed, when a new firmware is downloaded, firmwareDownload always replaces the public
key file on the switch with what is in the new firmware. This allows you to have planned firmware
key changes.
b. By using the firmwarekey command. This command retrieves a specified public key file from a
specific server location and replaces the one on the switch. So for easy access, the information
regarding firmware versions and their corresponding public key files should be documented in the
release notes or stored in a known location in the HP website.
c. If the public key file has been modified using the firmwarekey command, firmwareDownload will
not replace this file in the subsequent downloads because it thinks the change is intentional. The
user will need to use the firmwarekey command for subsequent updates of this file.
A different firmware key pair will be created for digitally-signed firmware releases. The private key file for
the digitally-signed firmware releases will be used to sign released firmware, and the public key file will be
packaged inside these digitally signed firmware releases.
NOTE: If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol
should be SCP.

Updating the firmwarekey

To update the firmwarekey:
1. Log in to the switch as admin.
2. Issue the firmwareKeyUpdate command.
3. Respond to the prompts as follows:
Server Name
or IP Address
Download
from USB
Network
protocol
User name
File name
Password
Enter the name or IP address of the FTP server, or SSH server for SCP, where
the firmwarekey file is stored; for example, 192.1.2.3.
Optional: -U (upper case) Specify this option if you want to download from
the USB device attached to the active CP.
Specify the file transfer protocol used to download the firmware from the file
server. Valid values are FTP and SCP. The Values are not case-sensitive. If
-p is not specified, firmwareKeyUpdate will determine the protocol
automatically by checking the config.security parameter on the switch.
Enter the user name of your account on the server; for example, JaneDoe.
Specify the fully qualified path name of the firmware directory, for example,
/pub/firmwarekey/pubkey.pem,12345. Absolute path names may be
specified using forward slashes (/).
Enter a password. This operand can be omitted if firmware is accessible
through USB or if no password is required by the FTP server. This operand is
required when accessing an SSH server.
Fabric OS 6.1.1 administrator guide 187