Roles And Services; Crypto Officer Role - Dell PowerConnect W-Series FIPS Supplement Manual

A power supply is used to connect the electric power cable. Operating power is also provided to a

compatible Power Over Ethernet (POE) device when connected. The power is provided through the
connected Ethernet cable.
The switch distinguishes between different forms of data, control, and status traffic over the network ports
by analyzing the packets header information and contents.

Roles and Services

The Aruba Mobility Controller supports role-based authentication. There are two roles in the switch (as
required by FIPS 140-2 Level 2) that operators may assume: a Crypto Officer role and a User role. The
Administrator maps to the Crypto-Officer role and the client Users map to the User role.

Crypto Officer Role

The Crypto Officer role has the ability to configure, manage, and monitor the switch. Three management
interfaces can be used for this purpose:
CLI

The Crypto Officer can use the CLI to perform non-security-sensitive and security-sensitive monitoring
and configuration. The CLI can be accessed remotely by using the SSHv2 secured management session
over the Ethernet ports or locally over the serial port. In FIPS mode, the serial port is disabled.
Web Interface

The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a
highly intuitive, graphical interface for a comprehensive set of switch management tools. The Web
Interface can be accessed from a TLS-enabled Web browser using HTTPS (HTTP with Secure Socket
Layer) on logical port 4343.
Bootrom Monitor Mode

In Bootrom monitor mode, the Crypto Officer can reboot, update the Bootrom, issue file system-related
commands, modify network parameters, and issue various show commands. The Crypto Officer can
only enter this mode by pressing any key during the first four seconds of initialization. Bootrom Monitor
Mode is disabled in FIPS mode.
The Crypto Officer can also use SNMPv1/2c/3 to remotely perform non-security-sensitive monitoring and
use get and getnext commands. See the table below for descriptions of the services available to the Crypto
Officer role.
Table 3 Crypto-Officer Services
Service Description
SSH Provide authenticated and
encrypted remote management
sessions while using the CLI
IKEv1/IKEv2-IPSec Provide authenticated and
encrypted remote management
sessions to access the CLI
functionality
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Input Output
SSH key agreement SSH outputs and
parameters, SSH data
inputs, and data
IKEv1/IKEv2 inputs and IKEv1/IKEv2
data; IPSec inputs, outputs, status,
commands, and data and data; IPSec
outputs, status,
and data
CSP Access
Diffie-Hellman key pair
(read/ write access), session
key for SSH (read/write
access), RNG keys (read
access); Crypto Officer's
password (read access)
RSA or ECDSA key pair for
IKEv1/IKEv2 (read access),
Diffie-Hellman or Elliptic
curve Diffie-Hellman key pair
for IKEv1/IKEv2 (read/write
access), pre- shared keys
for IKEv1/IKEv2 (read
access); Session keys for
IPSec (read/write access)
FIPS 140-2 Level 2 Features | 17