[x]

Configuring FIPS mode > Entering FIPS mode

 

 Next

Entering FIPS mode

After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly.

A FIPS device meets the requirements defined in Network Device Protection Profile (NDPP) of Common Criteria (CC).

The system provides two methods to enter FIPS mode: automatic reboot and manual reboot.

Automatic reboot

To use automatic reboot to enter FIPS mode:

  1. Enable FIPS mode.

  2. Select the automatic reboot method.

    The system automatically performs the following tasks:

    1. Create a default FIPS configuration file named fips-startup.cfg.

    2. Specify the default file as the startup configuration file.

    3. Prompt you to configure the username and password for next login.

    You can press Ctrl+C to exit the configuring process. The fips mode enable command will not be executed.

  3. Configure a username and password to log in to the device in FIPS mode.

    The password must include at least 15 characters that contain uppercase and lowercase letters, digits, and special characters.

    The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned the role of security administrator Crypto Officer.

Manual reboot

To use manual reboot to enter FIPS mode:

  1. Enable the password control feature globally.

  2. Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.

  3. Set the minimum length of user passwords to 15 characters.

  4. Add a local user account for device management, including the following items:

    • A username.

    • A password that complies with the password control policies as described in step 2 and step 3.

    • A user role of network-admin or mdc-admin.

    • A service type of terminal.

  5. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.

  6. Enable FIPS mode.

  7. Select the manual reboot method.

  8. Save the configuration file and specify it as the startup configuration file.

  9. Delete the startup configuration file in binary format (an .mdb file).

  10. Reboot the device.

    The system enters FIPS mode. You can use the configured username and password to log in to the device in FIPS mode.

To enable FIPS mode:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable FIPS mode.

fips mode enable

By default, the FIPS mode is disabled.

prev

 

up

 next

Configuring FIPS mode 

home

 Configuration changes in FIPS mode

© Copyright 2016 Hewlett Packard Enterprise Development LP