528 Fabric OS Administrator’s Guide
53-1001763-02
Preparing the switch for FIPS
D

Enabling FIPS mode

1. Log in to the switch using an account assigned the admin or securityAdmin role.
2. Optional: Select the appropriate method based on your needs:
If the switch is set for RADIUS, modify each server to use only peap-mschapv2 as the
authentication protocol using the aaaConfig --change or aaaConfig --remove command.
If the switch is set for LDAP, refer to the instructions in “Setting up LDAP for FIPS mode on
page 524.
3. Optional: Set the authentication protocols.
a. Type the following command to set the hash type for MD5 which is used in authentication
protocols DHCHAP and FCAP:
authutil --set -h sha1
b. Set the DH group to 1 or 2 or 3 or 4 using authUtil --set -g <n>, where the DH group is
represented by <n>.
4. Install the LDAP CA certificate on the switch and Microsoft Active Directory server. Refer to the
instructions “LDAP certificates for FIPS mode” on page 526.
5. Block Telnet, HTTP, and RPC using the ipfilter policy command.
You will need to create an IPFilter policy for each protocol.
a. Create an IP filter rule for each protocol, see “Creating an IP Filter policy” on page 153.
b. Add a rule to the IP filter policy, see Adding a rule to an IP Filter policy” on page 157. You
can use the following modifications to the rule:
ipfilter --addrule <policyname> -rule <rule_number> -sip <source_IP> -dp
<dest_port> -proto <protocol> -act <deny>
-sip option can be given as any
-dp option for the port numbers for Telnet, HTTP, and RPC are 23, 80, and 898
respectively
-proto option should be set to tcp
c. Activate the IP filter policy, see Activating an IP Filter policy” on page 154.
d. Save the IP filter policy, see “Saving an IP Filter policy” on page 154.
Example
ipfilter --createrule http_block_v4 --type ipv4
ipfilter --addrule http_block_v4 -rule 2 -sip any -dp 80 -proto tcp -act deny
ipfilter --activate http_block_v4
ipfilter --save http_block_v4
6. Type the following command to block access to the boot PROM:
fipscfg –-disable bootprom
Block boot PROM access before disabling root account.
7. Enable signed firmware by typing the configure command and respond to the prompts as
follows:
System services No
cfgload attributes Yes