Fabric OS Administrator’s Guide 521
53-1001763-02
Appendix

D

FIPS Support

In this appendix
FIPS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Zeroization functions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
FIPS mode configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Preparing the switch for FIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

FIPS overview

Federal information processing standards (FIPS) specify the security standards to be satisfied by a
cryptographic module utilized in Fabric OS v6.0.0 and later to protect sensitive information in the
switch. As part of FIPS 140-2 level 2 compliance passwords, shared secrets, and the private keys
used in SSL, TLS, and system login need to be cleared out or zeroized. Power-up self tests are
executed when the switch is powered on to check for the consistency of the algorithms
implemented in the switch. Known-answer-tests (KATs) are used to exercise various features of the
algorithm and their results are displayed on the console for your reference. Conditional tests are
performed whenever an RSA key pair is generated. These tests verify the randomness of the
deterministic and non-deterministic random number generator (DRNG and non-DRNG). They also
verify the consistency of RSA keys with regard to signing and verification and encryption and
decryption.
ATTENTION
When FIPS mode is enabled, this is a chassis-wide setting and affects all logical switches.

Zeroization functions

Explicit zeroization can be done at the discretion of the security administrator. These functions
clear the passwords and the shared secrets. Table 102 lists the various keys used in the system
that will be zeroized in a FIPS-compliant Fabric OS module.
TABLE 102 Zeroization behavior
Keys Zeroization CLI Description
DH private keys No CLI required Keys will be zeroized within code before they are
released from memory.
FCAP private key pkiRemove The pkiCreate command creates the keys, and
'pkiremove' removes/zeroizes the keys.