05-18-2015 01:59 PM
1. I have a SAN switch / Fabric OS combination that is FIPS-validated.
2. I have correctly followed the entire procedure to prepare to enter FIPS mode.
3. I issue this command:
fipscfg --enable fips
I know this command "puts me into FIPS mode". But that's a pretty high-level description. What does it actually ***do***? Does it disable all of the commands that are used to prepare the switch for FIPS mode? Something else?
Thanks in advance!
05-19-2015 08:05 AM
05-20-2015 08:27 AM - edited 05-20-2015 08:27 AM
I have asked some of our engineers to take a look at this, but while we wait for them to respond I would suggest opening a ticket with support. They may be able to give a more thorough answer.
05-21-2015 06:12 PM
I may be a bit ignorant here but wouldn't that be the questions you need to ask BEFORE you put a switch is such a restricted mode?
To be honest, in 20 years I've been working with Brocade environment this is actually the third time I see the need for FIPS and where it is actually enabled. I would like to hear some more about your reasoning why you need FIPS.
Your feedback is much appreciated.
05-22-2015 10:16 AM
We actually have not yet put our switch in FIPS mode. I am trying to learn as much as I can about it before we do.
As to the reason for our need for FIPS... It is contractually required of us by our customer. No FIPS, no deal!
05-25-2015 10:06 PM
:-) Pretty compelling sales-argument.
To be honest thisis the first time I see this requirement but I assume this is for some NSA/FBI/CIA or whatever hush-hush organisation.
The methodoligy used is pretty simple. It removes basically all options that should not be allowed in a FIPS complaint switch. For example the bootprom access methodology is adjusted so it will not show you the option of pressing the ESC key. (fipscfg --disable bootprom). The firmwaredownload method is adjusted so that is will check for a signed FOS release otherwise it won't do anything plus it only connects to a ssl enabled system. (ssh/scp)
From a troubleshooting perspective this is the easiest switch to diagnose: If it doesn't work try rebooting. If that doesn't work: buy a new one. All support options are disabled and a supportshow/save is not an option on a FIPS enabled switch.
For more info: http://www.nist.gov/itl/fips.cfm
05-26-2015 11:22 AM
Yes indeed, there are a number of prerequisites to entering FIPS mode. Here are just a few as examples (taken straight from the Administrator's Manual for FOS 7.1.0):
switch:FID128:admin> snmpconfig --set seclevel
Select SNMP GET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3) 
Select SNMP SET Security Level
(0 = No security, 1 = Authentication only, 2 = Authentication and Privacy, 3 = No Access): (0..3)  3
fipsCfg --disable bootprom
userConfig --change root -e no
And then, of course, there's the all-important command that makes all of these changes irreversible:
fipsCfg --enable fips
Here's what my question really is: Once I issue that all-important no-going-back fipsCfg --enable fips command, what is preventing me from undoing any of the prerequisite configuration I had to do to make the switch FIPS-compliant?
As one concrete example, what prevents me from reinstating root access as shown immediately below?
userConfig --change root -e yes
Does fipsCfg --enable fips simply disable any command that would allow one to change any of the prerequisite settings that are required to enter FIPS mode? Or does it do more than that?
06-02-2015 04:14 AM
Keep in mind that if you disable root for FIPS mode, you can't ever re-enable it.
You can though, force enable FIPS while leaving root enabled.
bswitch2:adminuser> fipscfg --force fips
Root account is enabled.
FIPS mode has been set to : Enabled
Please reboot the system
Warning: This command would cause the switch to reboot
and result in traffic disruption.
Are you sure you want to reboot the switch [y/n]?y