HP StorageWorks Fabric OS 6.1.x administrator guide (5697-0234, November 2009)
Fabric OS 6.1.x administrator guide 137
LDAP in FIPS mode
You can configure your Microsoft Active Directory server to use LDAP while in FIPS mode. Although, there
is no option provided on the switch to configure TLS ciphers for LDAP in FIPS mode. However, the LDAP
client checks if FIPS mode is set on the switch and uses the FIPS compliant TLS ciphers for LDAP. If the FIPS
mode is not set and the Microsoft Active Directory server is configured for FIPS ciphers, it uses FIPS
compliant ciphers.
Table 42 lists the differences between FIPS and non-FIPS mode of operation.
To set up LDAP for FIPS mode:
1. Set the switch authentication mode and add your LDAP server by using the commands in the example
below. Provide the Fully Qualified Domain Name (FQDN) of the Active Directory server for the
hostname parameter while configuring LDAP.
RPC/secure RPC
access
Secure RPC only RPC and secure RPC
Secure RPC protocols TLS - AES128 cipher suite SSL and TLS – all cipher suites
SNMP Read-only operations Read and write operations
DH-CHAP/FCAP
hashing algorithms
SHA-1 MD5 and SHA-1
Signed firmware Mandatory firmware signature validation Optional firmware signature
validation
Configupload/
download/
supportsave/
firmwaredownload
SCP only FTP and SCP
IPsec Usage of AES-XCBC, MD5 and DH group 1
are blocked
No restrictions
Radius auth protocols PEAP-MSCHAPv2 CHAP, PAP, PEAP-MSCHAPv2
Table 41 FIPS mode restrictions
Features FIPS mode Non-FIPS mode
Table 42 FIPS mode of operation
FIPS mode non-FIPS mode
The CA who issued the Microsoft Active Directory
server certificate must be installed on the switch.
There is no mandatory CA certificate installation
on the switch.
Configure FIPS compliant TLS ciphers [TDES-168, SHA1
and RSA-1024] on Microsoft Active Directory server.
The host needs a reboot for the changes to take effect.
On the Microsoft Active Directory server, there is
no configuration of the FIPS compliant TLS
ciphers.
The switch uses FIPS-compliant ciphers regardless of
Microsoft Active Directory server configuration. If the
Microsoft Active Directory server is not configured for
FIPS ciphers, authentication will still succeed.
The Microsoft Active Directory server certificate
is validated if the CA certificate is found on the
switch
The Microsoft Active Directory server certificate is
validated by the LDAP client. If the CA certificate is not
present on the switch then user authentication will fail.
If Microsoft Active Directory server is configured
for FIPS ciphers and the switch is in non-FIPS
mode then user authentication will succeed.