4.2 Services

The module provides various services depending on role. These are described below.

4.2.1 Crypto Officer Services

The CO role in each of FIPS modes defined in section 3.3 has the same services.

Service

Description

CSPs Accessed (see section 6

 

 

below for complete description of

 

 

CSPs)

 

 

 

 

 

FIPS mode enable/disable

The CO selects/de-selects FIPS

None.

 

 

mode as a configuration option.

 

 

 

 

 

 

Key Management

The CO can configure/modify the

IKE shared secret

 

IKE shared secret (The RSA

WPA2 PSK

 

private key is protected by non-

 

 

 

 

volatile memory and cannot be

KEK

 

modified) and the WPA2 PSK

 

 

 

(used in advanced Remote AP

 

 

 

configuration). Also, the CO/User

 

 

 

implicitly uses the KEK to

 

 

 

read/write configuration to non-

 

 

 

volatile memory.

 

 

 

 

 

Remotely reboot module

The CO can remotely trigger a

KEK is accessed when

 

reboot

configuration is read during

 

 

reboot. The firmware verification

 

 

key and firmware verification CA

 

 

key are accessed to validate

 

 

firmware prior to boot.

 

 

 

Self-test triggered by CO/User

The CO can trigger a

KEK is accessed when

reboot

programmatic reset leading to

configuration is read during

 

self-test and initialization

reboot. The firmware verification

 

 

key and firmware verification CA

 

 

key are accessed to validate

 

 

firmware prior to boot.

 

 

 

Update module firmware

The CO can trigger a module

The firmware verification key

 

firmware update

and firmware verification CA key

 

 

are accessed to validate firmware

 

 

prior to writing to flash.

 

 

 

 

Configure non-security related

CO can configure various

None.

 

module parameters

operational parameters that do not

 

 

 

relate to security

 

 

 

 

 

 

26

Page 26
Image 26
Aruba Networks FIPS 140-2 manual Crypto Officer Services, Service Description CSPs Accessed see section, WPA2 PSK, Kek