Contents

Configuring FIPS· 1

Overview·· 1

Configuration restrictions and guidelines· 1

Configuring FIPS mode· 2

Entering FIPS mode· 2

Configuration changes in FIPS mode· 3

Exiting FIPS mode· 4

FIPS self-tests· 4

Power-up self-tests· 5

Conditional self-tests· 5

Triggering self-tests· 6

Displaying and maintaining FIPS· 6

FIPS configuration examples· 6

Entering FIPS mode through automatic reboot 6

Entering FIPS mode through manual reboot 7

Exiting FIPS mode through automatic reboot 9

Exiting FIPS mode through manual reboot 9

 

Configuring FIPS

Overview

Federal Information Processing Standards (FIPS) was developed by the National Institute of Standards and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named Level 1 to Level 4, from low to high. The device supports Level 2.

Unless otherwise noted, in this document the term FIPS refers to FIPS 140-2.

Configuration restrictions and guidelines

When you configure FIPS, follow these restrictions and guidelines:

·          After the fips mode enable command is executed, the system prompts you to choose a reboot method. If you do not make a choice within 30 seconds, the system uses the manual reboot method.

·          Before you reboot the device to enter FIPS mode, the system automatically removes all key pairs configured in non-FIPS mode and all FIPS-incompliant digital certificates. FIPS-incompliant digital certificates are MD5-based certificates with the modulus length of key pairs less than 2048 bits. You cannot log in to the device through SSH after the device enters FIPS mode. To log in to the device in FIPS mode through SSH, first log in to the device through a console port, and then create a key pair for the SSH server.

·          The password for entering the device in FIPS mode must comply with the password control policies, such as password length, complexity, and aging policy. When the aging timer for a password expires, the system prompts you to change the password. If you adjust the system time after the device enters FIPS mode, the login password might expire before the next login, because the original system time is typically much earlier than the actual time.

¡  If you choose the automatic reboot method, set the system time before executing the fips mode enable command.

¡  If you choose the manual reboot method, set the system time before configuring the local username and password.

·          To use the manual reboot method, you must perform the following tasks:

a.    Save the current configuration file.

b.    Specify the current configuration file as the startup configuration file.

c.    Delete the startup configuration file in binary format.

d.    Reboot the device.

Otherwise, the commands that are not supported by FIPS mode, if they are in the configuration file, might be restored.

·          The system enters an intermediate state between when the fips mode enable command is executed and when the system is rebooted. If you choose the manual reboot method, do not execute any commands except for the following commands:

¡  reboot.

¡  save.

¡  Other commands used for configuration preparation to enter FIPS mode.

·          Configuration rollback is supported in FIPS mode and also during a switch between FIPS mode and non-FIPS mode. After a configuration rollback between FIPS mode and non-FIPS mode, perform the following tasks:

a.    Delete the local user and configure a new local user. Local user attributes include password, user role, and service type.

b.    Save the current configuration file.

c.    Specify the current configuration file as the startup configuration file.

d.    Reboot the device. The new configuration takes effect after the reboot. During this process, do not exit the system or perform other operations.

·          If a device enters FIPS or non-FIPS mode through automatic reboot, configuration rollback fails. To support configuration rollback, you must execute the save command after the device enters FIPS or non-FIPS mode.

·          Do not use FIPS and non-FIPS devices to create an IRF fabric.

·          To enable FIPS mode for an IRF fabric, you must reboot the entire IRF fabric.

Configuring FIPS mode

Entering FIPS mode

After you enable FIPS mode and reboot the device, the device operates in FIPS mode. The FIPS device has strict security requirements, and performs self-tests on cryptography modules to verify that they are operating correctly.

A FIPS device meets the requirements defined in Network Device Protection Profile (NDPP) of Common Criteria (CC).

The system provides two methods to enter FIPS mode: automatic reboot and manual reboot.

Automatic reboot

To use automatic reboot to enter FIPS mode:

1.        Enable FIPS mode.

2.        Select the automatic reboot method.

The system automatically performs the following tasks:

a.    Create a default FIPS configuration file named fips-startup.cfg.

b.    Specify the default file as the startup configuration file.

c.    Prompt you to configure the username and password for next login.

You can press Ctrl+C to exit the configuring process. The fips mode enable command will not be executed.

3.        Configure a username and password to log in to the device in FIPS mode.

The password must include at least 15 characters that contain uppercase and lowercase letters, digits, and special characters.

The system automatically uses the startup configuration file to reboot the device and enter FIPS mode. You can only use the configured username and password to log in to the FIPS device. After login, you are assigned the role of security administrator Crypto Officer.

Manual reboot

To use manual reboot to enter FIPS mode:

1.        Enable the password control feature globally.

2.        Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.

3.        Set the minimum length of user passwords to 15 characters.

4.        Add a local user account for device management, including the following items:

¡  A username.

¡  A password that complies with the password control policies as described in step 2 and step 3.

¡  A user role of network-admin.

¡  A service type of terminal.

5.        Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.

6.        Enable FIPS mode.

7.        Select the manual reboot method.

8.        Save the configuration file and specify it as the startup configuration file.

9.        Delete the startup configuration file in binary format (an .mdb file).

10.     Reboot the device.

The system enters FIPS mode. You can use the configured username and password to log in to the device in FIPS mode.

To enable FIPS mode:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Enable FIPS mode.	fips mode enable	By default, the FIPS mode is disabled.

 

Configuration changes in FIPS mode

When the system enters FIPS mode, the following system changes occur:

·          The user login authentication mode can only be scheme.

·          The FTP/TFTP server and client are disabled.

·          The Telnet server and client are disabled.

·          The HTTP server is disabled.

·          SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.

·          The SSL server supports TLS1.0, TLS1.1, and TLS1.2.

·          The SSH server does not support SSHv1 clients and DSA key pairs.

·          The generated RSA and DSA key pairs must have a modulus length of 2048 bits.

When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of 2048 bits.

·          The generated ECDSA key pairs must have a modulus length of more than 256 bits.

When the device acts as a server to authenticate a client through the public key, the key pair for the client must also have a modulus length of more than 256 bits.

·          SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.

·          The password control feature cannot be disabled globally. The undo password-control enable command does not take effect.

·          The keys must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters. This requirement applies to the following passwords:

¡  AAA server's shared key.

¡  IKE pre-shared key.

¡  SNMPv3 authentication key.

The password for a device management local user and password for switching user roles depend on password control policies. By default, the passwords must contain at least 15 characters and 4 character types of uppercase and lowercase letters, digits, and special characters.

Exiting FIPS mode

After you disable FIPS mode and reboot the device, the device operates in non-FIPS mode.

The system provides two methods to exit FIPS mode: automatic reboot and manual reboot.

Automatic reboot

Select the automatic reboot method. The system automatically creates a default non-FIPS configuration file named non-fips-startup.cfg, and specifies the file as the startup configuration file. The system reboots the device by using the default non-FIPS configuration file. After the reboot, you are directly logged in to the device.

Manual reboot

This method requires that you manually complete the configurations for entering non-FIPS mode, and then reboot the device. To log in to the device after the reboot, you must enter user information according to the authentication mode. The following default authentication modes are available for console ports or lines (you can modify the default mode as needed):

·          The default authentication mode is password for VTY lines.

·          The default authentication mode is none for console ports.

After you disable FIPS mode, follow these restrictions and guidelines before you manually reboot the device:

·          If you are logged in to the device through Telnet, perform the following tasks without exiting the current user line:

¡  Set the authentication mode to scheme.

¡  Configure the username and password. (You can also use the current username and password.)

·          If you are logged in to the device through a console port, configure one of the following authentication modes as needed:

¡  Configure the password authentication mode and a password.

¡  Configure the scheme authentication mode and configure a new username and password (you can also use the current username and password).

¡  Configure the none authentication mode.

To disable FIPS mode:

 

Step	Command	Remarks
1.       Enter system view.	system-view	N/A
2.       Disable FIPS mode.	undo fips mode enable	By default, the FIPS mode is disabled.

 

FIPS self-tests

To ensure the correct operation of cryptography modules, FIPS provides self-test mechanisms, including power-up self-test and conditional self-test. You can also trigger a self-test. If the power-up self-test fails, the device reboots. If the conditional self-test fails, the system outputs self-test failure information.

 

	NOTE: If a self-test fails, contact H3C Support.

 

Power-up self-tests

The power-up self-test examines the availability of FIPS-allowed cryptographic algorithms.

The device supports the following types of power-up self-tests:

·          Known-answer test (KAT)

A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the KAT test fails.

·          Pairwise conditional test (PWCT)

¡  Signature and authentication test—The test is run when a DSA, RSA, or ECDSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds.

¡  Encryption and decryption test—The test is run when an RSA asymmetrical key pair is generated. It uses the public key to encrypt a plain text string, and then uses the private key to decrypt the encrypted text. If the decryption result is the same as the original plain text string, the test succeeds.

The power-up self-test examines the cryptographic algorithms listed in Table 1.

Table 1 Power-up self-test list

Type	Operations
KAT	Tests the following algorithms: ·         SHA1, SHA224, SHA256, SHA384, and SHA512. ·         HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, and HMAC-SHA512. ·         AES. ·         RSA (signature and authentication). ·         ECDH. ·         DRBG. ·         GCM. ·         GMAC.
PWCT	Tests the following algorithms: ·         RSA (signature and authentication). ·         RSA (encryption and decryption). ·         DSA (signature and authentication). ·         ECDSA (signature and authentication).

 

Conditional self-tests

A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types:

·          PWCT signature and authentication—This test is run when a DSA or RSA asymmetrical key pair is generated. It uses the private key to sign the specific data, and then uses the public key to authenticate the signed data. If the authentication is successful, the test succeeds.

·          Continuous random number generator test—This test is run when a random number is generated. Each subsequent generation of a random number will be compared with the previously generated number. The test fails if any two compared numbers are the same. This test can also be run when a DSA/RSA asymmetrical key-pair is generated.

Triggering self-tests

To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device where the self-test process exists reboots.

To trigger a self-test:

 

Step	Command
1.       Enter system view.	system-view
2.       Trigger a self-test.	fips self-test

 

Displaying and maintaining FIPS

Execute display commands in any view.

 

Task	Command
Display the FIPS mode state.	display fips status

 

FIPS configuration examples

Entering FIPS mode through automatic reboot

Network requirements

Use the automatic reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.

Configuration procedure

# If you want to save the current configuration, execute the save command before you enable FIPS mode.

# Enable FIPS mode and choose the automatic reboot method to enter FIPS mode. Set the username to root and the password to 12345zxcvb!@#$%ZXCVB.

<Sysname> system-view

[Sysname] fips mode enable

FIPS mode change requires a device reboot. Continue? [Y/N]:y

Reboot the device automatically? [Y/N]:y

The system will create a new startup configuration file for FIPS mode. After you set the login username and password for FIPS mode, the device will reboot automatically.

Enter username(1-55 characters):root

Enter password(15-63 characters):

Confirm password:

Waiting for reboot... After reboot, the device will enter FIPS mode.

 

	NOTE: After the system displays the Reboot the device automatically? prompt, do not press Ctrl+C to abort the process. If you press Ctrl+C to abort the process, you must use manual reboot to enter FIPS mode. For more information about manual reboot, see Manual reboot.

 

Verifying the configuration

After the device reboots, enter a username of root and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters. For more information about the requirements for the password, see the system output.

Press ENTER to get started.

login: root

Password:

First login or password reset. For security reason, you need to change your password. Please enter your password.

old password:

new password:

confirm:

Updating user information. Please wait ... ...

…

<Sysname> 

# Display the FIPS mode state.

<Sysname> display fips status

FIPS mode is enabled.

# Display the default configuration file.

<Sysname> more fips-startup.cfg

#

 password-control enable

#

local-user root class manage

 service-type terminal

 authorization-attribute user-role network-admin

#

 fips mode enable

#

return

 

<Sysname>

Entering FIPS mode through manual reboot

Network requirements

Use the manual reboot method to enter FIPS mode, and use a console port to log in to the device in FIPS mode.

Configuration procedure

# Enable the password control feature globally.

<Sysname> system-view

[Sysname] password-control enable

# Set the number of character types a password must contain to 4, and set the minimum number of characters for each type to one character.

[Sysname] password-control composition type-number 4 type-length 1

# Set the minimum length of user passwords to 15 characters.

[Sysname] password-control length 15

# Add a local user account for device management, including a username of test, a password of 12345zxcvb!@#$%ZXCVB, a user role of network-admin, and a service type of terminal.

[Sysname] local-user test class manage

[Sysname-luser-manage-test] password simple 12345zxcvb!@#$%ZXCVB

[Sysname-luser-manage-test] authorization-attribute user-role network-admin

[Sysname-luser-manage-test] service-type terminal

[Sysname-luser-manage-test] quit

# Enable FIPS mode, and choose the manual reboot method to enter FIPS mode.

[Sysname] fips mode enable

FIPS mode change requires a device reboot. Continue? [Y/N]:y

Reboot the device automatically? [Y/N]:n

Change the configuration to meet FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.

# Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file.

[Sysname] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Slot 1:

Save next configuration file successfully.

[Sysname] quit

# Delete the startup configuration file in binary format.

<Sysname> delete flash:/startup.mdb

Delete flash:/startup.mdb?[Y/N]:y

Deleting file flash:/startup.mdb...Done.

# Reboot the device.

<Sysname> reboot

Verifying the configuration

After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB. The system prompts you to configure a new password. After you configure the new password, the device enters FIPS mode. The new password must be different from the previous password. It must include at least 15 characters, and contain uppercase and lowercase letters, digits, and special characters. For more information about the requirements for the password, see the system output.

Press ENTER to get started.

login: test

Password:

First login or password reset. For security reason, you need to change your pass

word. Please enter your password.

old password:

new password:

confirm:

Updating user information. Please wait ... ...

…

<Sysname>

# Display the FIPS mode state.

<Sysname> display fips status

FIPS mode is enabled.

Exiting FIPS mode through automatic reboot

Network requirements

A user has logged in to the device in FIPS mode through a console port.

Use the automatic reboot method to exit FIPS mode.

Configuration procedure

# Disable FIPS mode.

[Sysname] undo fips mode enable

FIPS mode change requires a device reboot. Continue? [Y/N]:y

The system will create a new startup configuration file for non-FIPS mode and then reboot automatically. Continue? [Y/N]:y

Waiting for reboot... After reboot, the device will enter non-FIPS mode.

Verifying the configuration

After the device reboots, you can enter the system.

<Sysname>

# Display the FIPS mode state.

<Sysname> display fips status

FIPS mode is disabled.

Exiting FIPS mode through manual reboot

Network requirements

A user has logged in to the device in FIPS mode through SSH with a username of test and a password of 12345zxcvb!@#$%ZXCVB.

Use the manual reboot method to exit FIPS mode.

Configuration procedure

# Disable FIPS mode.

[Sysname] undo fips mode enable

FIPS mode change requires a device reboot. Continue? [Y/N]:y

The system will create a new startup configuration file for non-FIPS mode, and then reboot automatically. Continue? [Y/N]:n

Change the configuration to meet non-FIPS mode requirements, save the configuration to the next-startup configuration file, and then reboot to enter non-FIPS mode.

# Set the authentication mode for VTY lines to scheme.

[Sysname] line vty 0 63

[Sysname-line-vty0-63] authentication-mode scheme

# Save the current configuration to the root directory of the storage medium, and specify it as the startup configuration file.

[Sysname] save

The current configuration will be written to the device. Are you sure? [Y/N]:y

Please input the file name(*.cfg)[flash:/startup.cfg]

(To leave the existing filename unchanged, press the enter key):

flash:/startup.cfg exists, overwrite? [Y/N]:y

Validating file. Please wait...

Saved the current configuration to mainboard device successfully.

Slot 1:

Save next configuration file successfully.

[Sysname] quit

# Delete the startup configuration file in binary format.

<Sysname> delete flash:/startup.mdb

Delete flash:/startup.mdb?[Y/N]:y

Deleting file flash:/startup.mdb...Done.

# Reboot the device.

<Sysname> reboot

Verifying the configuration

After the device reboots, enter a username of test and a password of 12345zxcvb!@#$%ZXCVB to enter non-FIPS mode.

Press ENTER to get started.

login: test

Password:

Last successfully login time:…

…

<Sysname>

# Display the FIPS mode state.

<Sysname> display fips status

FIPS mode is disabled.