Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

516 Fabric OS Administrator’s Guide
53-1002148-02
Zeroization functions
C
Power-on self tests
A power-on self test (POST) is invoked by powering on the switch in FIPS mode and does not require
any operator intervention. If any KATs fail, the switch goes into a FIPS Error state, which reboots the
system to start the test again. If the switch continues to fail the FIPS POST, you will need to return
your switch to your switch service provider for repair. Refer to the Fabric OS Troubleshooting and
Diagnostics Guide for information about preparing a case for your service provider.
Conditional tests
These tests are for the random number generators and are executed to verify the randomness of
the random number generator. The conditional tests are executed each time prior to using the
random number provided by the random number generator.
FCSP Challenge
Handshake
Authentication Protocol
(CHAP) Secret
secAuthSecret –-remove
value | –-all
The secAuthSecret
--remove value command is used
to remove the specified keys from the database. When
the secAuthSecret command is used with the --remove
–-all option, then the entire key database is deleted.
Passwords passwdDefault
fipscfg –-zeroize
The passwdDefault command removes user-defined
accounts in addition to default passwords for the root,
admin, and user default accounts. However, only the
root account has permissions for this command. Users
with securityadmin and admin permissions must use
fipsCfg
–-zeroize, which, in addition to removing user
accounts and resetting passwords, also does the
complete zeroization of the system.
RADIUS secret aaaConfig –-remove The aaaConfig
--remove command zeroizes the
secret and deletes a configured server.
RNG seed key No command required /dev/urandom is used as the initial source of seed for
RNG. The RNG seed key is zeroized on every random
number generation.
SFTP session keys No command required Automatically zeroized on session termination.
SSH RSA private key sshUtil delprivkey Key-based SSH authentication is not used for SSH
sessions.
SSH RSA public key sshUtil delpubkeys Key-based SSH authentication is not used for SSH
sessions.
SSH session key No command required This key is generated for each SSH session that is
established with the host. It automatically zeroizes on
session termination.
Third-party keys secCertUtil delete -fcapall Used to zeroize third-party keys.
TLS authentication key No command required Automatically zeroized on session termination.
TLS pre-master secret No command required Automatically zeroized on session termination.
TLS private keys secCertUtil delkey -all The secCertUtil delkey -all command is used to zeroize
these keys.
TLS session key No command required Automatically zeroized on session termination.
TABLE 85 Zeroization behavior (Continued)
Keys Zeroization CLI Description