Login
- Table of Contents
-
- 07-Security Command Reference
- 00-Preface
- 01-AAA Commands
- 02-802.1X Commands
- 03-MAC Authentication Commands
- 04-Portal Commands
- 05-Port Security Commands
- 06-User Profile Commands
- 07-Password Control Commands
- 08-Public Key Commands
- 09-PKI Commands
- 10-SSH Commands
- 11-SSL Commands
- 12-SSL VPN Commands
- 13-TCP Attack Protection Commands
- 14-ARP Attack Protection Commands
- 15-IPsec Commands
- 16-ALG Commands
- 17-Firewall Commands
- 18-Session Management Commands
- 19-Web Filtering Commands
- 20-User Isolation Commands
- 21-Source IP Address Verification Commands
- 22-FIPS Commands
- 23-Protocol Packet Rate Limit Commands
- 24-Attack detection and protection commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 22-FIPS Commands | 37.91 KB |
FIPS configuration commands
Support for the commands depends on the device model. For more information, see About the H3C Access Controllers Command References.
display fips status
Use display fips status to display the current FIPS mode state.
Syntax
display fips status
Views
Any view
Default command level
1: Monitor level
Examples
# Display the current FIPS mode state.
<Sysname> display fips status
FIPS mode is enabled
Related commands
fips mode enable
fips mode enable
Use fips mode enable to enable FIPS mode.
Use undo fips mode enable to disable FIPS mode.
Syntax
fips mode enable
undo fips mode enable
Default
The FIPS mode is disabled.
Views
System view
Default command level
2: System level
Usage guidelines
The FIPS mode complies with FIPS 140-2.
After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP, or FTP before you reboot the device.
To enter the FIPS mode, follow these steps:
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters, and must contain uppercase and lowercase letters, digits, and special characters.
4. Delete all MD5-based digital certificates.
5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6. Save the configuration.
After you enable FIPS mode and reboot the device, the following system changes occur:
· The FTP/TFTP server is disabled.
· The Telnet server is disabled.
· The HTTP server is disabled.
· SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
· The SSL server only supports TLS1.0.
· The SSH server does not support SSHv1 clients.
· Generated RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs have a modulus length from 1024 to 2048 bits.
· SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Examples
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet FIPS mode requirements, save the configuration
to the next-startup configuration file, and then reboot to enter FIPS mode.
# Disable FIPS mode.
<Sysname> system-view
[Sysname] undo fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet non-FIPS mode requirements, save the configurat
ion to the next-startup configuration file, and then reboot to enter non-FIPS mo
de.
Related commands
display fips status
fips self-test
Use fips self-test to trigger a self-test on the cryptographic algorithms.
Syntax
fips self-test
Views
System view
Default command Level
3: Manage level
Usage guidelines
To examine whether the cryptography modules operate correctly, you can use this command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
If the self-test fails, the device automatically reboots.
Examples
# Trigger a self-test on the cryptographic algorithms.
<Sysname> system-view
[Sysname] fips self-test
Self-tests are running. Please wait...
Self-tests succeeded.
