Table 39
Fabric merges with tolerant/absent combinations
Fabric-wide consistency policy setting
Tolerant/Absent
FIPS support
Federal information processing standards (FIPS) specifies the security standards to be satisfied by a
cryptographic module utilized in the Fabric OS to protect sensitive information in the switch. As part of FIPS
140-2 level 2 compliance passwords, shared secrets and the private keys used in SSL, TLS, and system
login need to be cleared out or zeroized. Power-up self tests are executed when the switch is powered on to
check for the consistency of the algorithms implemented in the switch. KATs are used to exercise various
features of the algorithm and their results are displayed on the console for your reference. Conditional tests
are performed whenever RSA key pair is generated. These tests verify the randomness of the deterministic
and non-deterministic random number generator (DRNG and non-DRNG). They also verify the consistency
of RSA keys with regard to signing and verification and encryption and decryption.
Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions clear the
passwords and the shared secrets. The following table lists the various keys used in the system that will be
zeroized in a FIPS compliant FOS module.
Table 40
Zeroization behavior
Keys
DH Private keys
FCSP Challenge
Handshake
Authentication Protocol
(CHAP) Secret
FCAP Private Key
SSH Session Key
SSH RSA private Key
RNG Seed Key
Passwords
Fabric A
Fabric B
SCC;DCC
DCC
SCC;DCC
SCC
DCC
SCC
Zeroization CLI
No CLI required
secauthsecret –-remove
pkiremove
No CLI required
No CLI required
No CLI required
passwddefault
fipscfg –-zeroize
Expected behavior
Error message logged.
Run fddCfg --fabwideset
"<policy_ID>" from any switch
with the desired configuration to fix
the conflict. The
secPolicyActivate command
is blocked until conflict is resolved.
Description
Keys will be zeroized within code before they are
released from memory.
The secauthsecret -remove is used to
remove/zeroize the keys.
The pkicreate command creates the keys, and
'pkiremove' removes/zeroizes the keys.
This is generated for each SSH session that is
established to and from the host. It automatically
zeroizes on session termination.
Key based SSH authentication is not used for SSH
sessions.
/dev/urandom is used as the initial source of seed
for RNG. RNG seed key is zeroized on every
random number generation.
This will remove user defined accounts in addition
to default passwords for the root, admin, and user
default accounts. However only root has
permissions for this command. So securityadmin
and admin roles need to use fipscfg
–-zeroize which in addition to removing user
accounts and resetting passwords, also does the
complete zerioization of the system.
Fabric OS 6.1.x administrator guide 135