Brocade Communications Systems 53-1001763-02 FIPS Support

Fabric OS Administrator’s Guide 201

53-1001763-02

FIPS Support 9

FIPS Support

Federal information processing standards (FIPS) specify the security standards needed to satisfy a

cryptographic module utilized within a security system for protecting sensitive information in the

computer and telecommunication systems. For more information about FIPS, refer to Chapter 7,

“Configuring Security Policies”.

The v6.4.0 firmware is digitally signed using the OpenSSL utility to provide FIPS support.To use the

digitally signed software, you must configure the switch to enable Signed Firmwaredownload. If it is

not enabled then the firmware download process ignores the firmware signature and work as

before.

If Signed Firmwaredownload is enabled, and if the validation succeeds, the firmware download

process proceeds normally. If the firmware is not signed or if the signature validation fails,

firmwareDownload fails.

To enable or disable FIPS, refer to Chapter 7, “Configuring Security Policies”.

For signed firmware, Brocade uses RSA with 1024-bit length key pairs, a private key and a public

key. The private key is used to sign the firmware files when the firmware is generated. The public

key is packaged in an RPM-package as part of the firmware, and is downloaded to the switch. After

it is downloaded, it can be used to validate the firmware to be downloaded next time when you run

the firmwareDownload command.

The public key file on the switch contains only one public key. It is only able to validate firmware

signed using one corresponding private key. If the private key changes in future releases, you need

to change the public key on the switch by one of the following methods:

•By using the firmwareDownload command. When a new firmware is downloaded,

firmwareDownload always replaces the public key file on the switch with what is in the new

firmware. This allows you to have planned firmware key changes.

•By using the firmwareKeyUpdate command. This command retrieves a specified public key file

from a specific server location and replaces the one on the switch. So for easy access, the

information regarding firmware versions and their corresponding public key files should be

documented in the release notes or stored in a known location in the Brocade website. This

command allows the customer to handle unplanned firmware key changes.

NOTE

If FIPS is enabled, all logins should be done through SSH or direct serial and the transfer protocol

should be SCP.

1. Log in to the switch as admin.

2. Type the firmwareKeyUpdate command and respond to the prompts.

As mentioned previously, the public key file will need to be packaged, installed, and run on your

switch before downloading a signed firmware.