Fips support, Public and private key management – Dell POWEREDGE M1000E User Manual
Page 266
266
Fabric OS Administrator’s Guide
53-1002745-02
FIPS support
9
Downloading from the USB device using the relative path
1. Log in to the switch using an account assigned to the admin role.
2. Enter the firmwareDownload -U command.
ecp:admin>firmwaredownload –U v7.1.0
Downloading from the USB device using the absolute path
1. Log in to the switch using an account assigned to the admin role.
2. Enter the firmwareDownload command with the -U operand.
ecp:admin>firmwaredownload –U /usb/usbstorage/brocade/firmware/v7.1.0
FIPS support
Federal Information Processing Standards (FIPS) specify the security standards needed to satisfy a
cryptographic module utilized within a security system for protecting sensitive information in the
computer and telecommunication systems. For more information about FIPS, refer to
“Configuring Security Policies”
.
Fabric OS v7.1.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support. To
use the digitally signed software, you must configure the switch to enable signed firmware
download. If it is not enabled, the firmware download process ignores the firmware signature and
performs as before.
If signed firmware download is enabled, and if the validation succeeds, the firmware download
process proceeds normally. If the firmware is not signed or if the signature validation fails,
firmwareDownload fails.
To enable or disable FIPS mode, refer to
Chapter 7, “Configuring Security Policies”
.
Public and private key management
For signed firmware, Brocade uses RSA with 1024-bit length key pairs, a private key and a public
key. The private key is used to sign the firmware files when the firmware is generated. The public
key is packaged in an RPM package as part of the firmware, and is downloaded to the switch. After
it is downloaded, it can be used to validate the firmware to be downloaded next time when you run
the firmwareDownload command.
The public key file on the switch contains only one public key. It is only able to validate firmware
signed using one corresponding private key. If the private key changes in future releases, you need
to change the public key on the switch by one of the following methods:
•
By using the firmwareDownload command. When a new firmware is downloaded, firmware
download always replaces the public key file on the switch with what is in the new firmware.
This allows you to have planned firmware key changes.
•
By using the firmwareKeyUpdate command. This command retrieves a specified public key file
from a specific server location and replaces the one on the switch. The information about
firmware versions and their corresponding public key files is documented in the release notes
or stored in a known location on the Brocade website. This command allows the customer to
handle unplanned firmware key changes.