Ldap In Fips Mode - HP StoreFabric SN6500B Administrator's Manual
Fabric os administrator's guide, 7.1.0 (53-1002745-02, march 2013)
Hide thumbs
Also See for StoreFabric SN6500B:
- Update manual (9 pages) ,
- Administrator's manual (108 pages) ,
- Quickspecs (24 pages)
Table of Contents
Advertisement
B
FIPS mode configuration
TABLE 87
Features
IPsec
LDAP CA
Common certificate for FCAP and
HTTPS authentication
Radius auth protocols
Root account
Secure RPC protocols
Signed firmware download
SNMP
SSH algorithms
SSH public keys
TACACS + authentication
Telnet/SSH access
LDAP in FIPS mode
You can configure your Microsoft Active Directory server to use the Lightweight Directory Access
Protocol (LDAP) while in FIPS mode. There is no option provided on the switch to configure TLS
ciphers for LDAP in FIPS mode. However, the LDAP client checks if FIPS mode is set on the switch
and uses the FIPS-compliant TLS ciphers for LDAP. If the FIPS mode is not set and the Microsoft
Active Directory server is configured for FIPS ciphers, it uses FIPS-compliant ciphers.
Table 88
TABLE 88
FIPS mode
The certificate of the CA that issued the Microsoft Active
Directory server certificate must be installed on the switch.
Configure FIPS-compliant TLS ciphers [TDES-168, SHA1
and RSA-1024] on the Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.
The switch uses FIPS-compliant ciphers regardless of the
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for FIPS
ciphers, authentication will still succeed.
The Microsoft Active Directory server certificate is validated
by the LDAP client. If the CA certificate is not present on the
switch then user authentication will fail.
618
FIPS mode restrictions (Continued)
FIPS mode
Usage of AES-XCBC, MD5, and DH group 1
are blocked.
CA certificate must be available.
Not supported
PEAP-MSCHAPv2
Disabled
TLS/AES128 cipher suite
Mandatory firmware signature validation
(SCP only)
Read-only operations
HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
RSA 1024 bit keys and RSA 2048 bit keys
Not supported
Only SSH
lists the differences between FIPS and non-FIPS modes of operation.
FIPS and non-FIPS modes of operation
Non-FIPS mode
No restrictions
CA certificate is optional.
Supported
CHAP, PAP, PEAP-MSCHAPv2
Enabled
SSL and TLS – all cipher suites
Optional firmware signature
validation (FTP and SCP)
Read and write operations
No restrictions
RSA 1024 bit keys, RSA 2048
bit keys, and DSA 1024 bit keys
Supported
Telnet and SSH
non-FIPS mode
There is no mandatory CA certificate installation on
the switch.
On the Microsoft Active Directory server, there is no
configuration of the FIPS-compliant TLS ciphers.
The Microsoft Active Directory server certificate is
validated if the CA certificate is found on the switch.
If the Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS mode,
then user authentication will succeed.
Fabric OS Administrator's Guide
53-1002745-02
- Quick Links:
- Performing Basic Configuration Tasks
Hide quick links:
Advertisement
Table of Contents
