Fabric OS Administrator’s Guide 523
53-1001763-02
FIPS mode configuration D
The results of all self-tests, for both power-up and conditional, are recorded in the system log or are
output to the local console. This includes logging both passing and failing results. Refer to the
Fabric OS Troubleshooting and Diagnostics Guide for instructions on how to recover if your system
cannot get out of the conditional test mode.

FIPS mode configuration

By default, the switch comes up in non-FIPS mode. You can run the fipsCfg --enable fips command
to enable FIPS mode, but you need to configure the switch first. Self-tests mode must be enabled
before FIPS mode can be enabled. A set of prerequisites as mentioned in the table below must be
satisfied for the system to enter FIPS mode. To be FIPS-compliant, the switch must be rebooted.
KATs are run on the reboot. If the KATs are successful, the switch enters FIPS mode. If KATs fail,
then the switch reboots until the KATs succeed. If the switch cannot enter FIPS mode and
continues to reboot, you must access the switch in single-user mode to break the reboot cycle. For
more information on how to fix this issue, refer to the Fabric OS Troubleshooting and Diagnostics
Guide
Only FIPS-compliant algorithms are run at this stage. Table 103 lists the Fabric OS feature and their
behavior in FIPS and non-FIPS mode.
TABLE 103 FIPS mode restrictions
Features FIPS mode Non-FIPS mode
Configupload/ download/
supportsave/
firmwaredownload
SCP only FTP and SCP
DH-CHAP/FCAP hashing
algorithms
SHA-1 MD5 and SHA-1
HTTP/HTTPS access HTTPS only HTTP and HTTPS
HTTPS protocol/algorithms TLS/AES128 cipher suite TLS/AES128 cipher suite
(SSL will no longer be
supported)
IPsec For FCIP IPSec the DH group 1 is
FIPS-compliant and is not blocked. Usage of
AES-XCBC, MD5 and DH group 0 and 1 are
blocked.
For IPSec (Ethernet), only MD5 is blocked in
FIPS mode.
No restrictions
Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2
Root account Disabled Enabled
RPC/secure RPC access Secure RPC only RPC and secure RPC
Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites
Signed firmware Mandatory firmware signature validation. Optional firmware signature
validation
SNMP Read-only operations Read and write operations
SSH algorithms HMAC-SHA1 (mac)
3DES-CBC, AES128-CBC, AES192-CBC,
AES256-CBC (cipher suites)
No restrictions
Telnet/SSH access Only SSH Telnet and SSH