FIPS Support
In this appendix
FIPS overview
Federal information processing standards (FIPS) specify the security standards to be satisfied by a
cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the
switch. As part of FIPS 140-2 level 2, compliance passwords, shared secrets, and the private keys
used in SSL, TLS, and system login need to be cleared out or zeroized. Before enabling FIPS
compliance mode, a power-on self test (POST) is executed when the switch is powered on to check
for the consistency of the algorithms implemented in the switch. Known-answer tests (KATs) are
used to exercise various features of the algorithm and their results are displayed on the console for
your reference. Conditional tests are performed whenever an RSA key pair is generated. These
tests verify the randomness of the deterministic random number generator (DRNG) and
non-deterministic random number generator (non-DRNG). They also verify the consistency of RSA
keys with regard to signing and verification and encryption and decryption.
ATTENTION
FIPS mode, when enabled, is a chassis-wide setting that affects all logical switches. Once enabled,
FIPS mode cannot be disabled.
Zeroization functions
Explicit zeroization can be done at the discretion of the security administrator. These functions
clear the passwords and the shared secrets.
will be zeroized in a FIPS-compliant Fabric OS module.
TABLE 85
Keys
DH private keys
FCAP private key
Fabric OS Administrator's Guide
53-1002446-01
•
FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
•
Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
•
FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
•
Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Zeroization behavior
Zeroization CLI
No command required
secCertUtil delete --fcapall
-nowarn
Table 85
lists the various keys used in the system that
Description
Keys will be zeroized within code before they are
released from memory.
The secCertUtil delete --fcapall command removes
all FCAP certificates and FCAP private keys.
Appendix
C
521