Fips mode configuration, Table 103 – Dell POWEREDGE M1000E User Manual

Page 563

Advertising
background image

Fabric OS Administrator’s Guide

523

53-1001763-02

FIPS mode configuration

D

The results of all self-tests, for both power-up and conditional, are recorded in the system log or are
output to the local console. This includes logging both passing and failing results. Refer to the
Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system
cannot get out of the conditional test mode.

FIPS mode configuration

By default, the switch comes up in non-FIPS mode. You can run the fipsCfg

--

enable fips command

to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled
before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.
KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,
then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and
continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For
more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics
Guide

Only FIPS-compliant algorithms are run at this stage.

Table 103

lists the Fabric OS feature and their

behavior in FIPS and non-FIPS mode.

TABLE 103

FIPS mode restrictions

Features

FIPS mode

Non-FIPS mode

Configupload/ download/
supportsave/
firmwaredownload

SCP only

FTP and SCP

DH-CHAP/FCAP hashing
algorithms

SHA-1

MD5 and SHA-1

HTTP/HTTPS access

HTTPS only

HTTP and HTTPS

HTTPS protocol/algorithms

TLS/AES128 cipher suite

TLS/AES128 cipher suite
(SSL will no longer be
supported)

IPsec

For FCIP IPSec the DH group 1 is
FIPS-compliant and is not blocked. Usage of
AES-XCBC, MD5 and DH group 0 and 1 are
blocked.
For IPSec (Ethernet), only MD5 is blocked in
FIPS mode.

No restrictions

Radius auth protocols

PEAP-MSCHAPv2

CHAP, PAP, PEAP-MSCHAPv2

Root account

Disabled

Enabled

RPC/secure RPC access

Secure RPC only

RPC and secure RPC

Secure RPC protocols

TLS - AES128 cipher suite

SSL and TLS – all cipher suites

Signed firmware

Mandatory firmware signature validation.

Optional firmware signature
validation

SNMP

Read-only operations

Read and write operations

SSH algorithms

HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)

No restrictions

Telnet/SSH access

Only SSH

Telnet and SSH

Advertising
Popular Brands
Popular manuals