System Initialization
198 Basic System Configuration Guide
• Cryptographic module conditional tests are executed when required during normal
operation of associated when using FIPS-140-2 approved algorithms.
• When configuring user-defined encryption or authentication keys, CLI will prompt
for the key to be re-entered. If the re-entered key does not match the original, the CLI
command will be canceled. This affects several protocols and applications.
To support FIPS-140-2, an HMAC-SHA-1 integrity check is performed to verify the integrity
of the software images. The following file is included in the TIMOS-m.n.Yz software bundle
containing the hmac-sha-1 signature:
• hmac-sha1.txt
During the loading of the cpm.tim or both.tim, a HMAC-SHA-1 check is performed to ensure
that the calculated HMAC-SHA-1 of the loaded image matches that stored in the hmac-
sha1.txt file.
The HMAC-SHA-1 check is performed on the data loaded from the .tim file. Note that when
configuring the primary-image, secondary-image and tertiary-image, the hmac-sha1.txt file
must exist in the same directory as the .tim files. If the load has been verified correctly from
the HMAC-SHA-1 integrity check, the load continues to bootup as normal. If the load is not
verified by the HMAC-SHA-1 integrity check, the image load will fail.
After the HMAC-SHA-1 integrity check passes, the nodes continues its normal bootup
sequence including reading the config.cfg file and loading the configuration. The config.cfg
file used to boot the node in FIPS-140-2 mode must not contain any configuration that is not
supported in FIPS-140-2 mode. If such configuration is present in the config.cfg file when
the node boots, the node will load the config.cfg file until the location of the offending
configuration and then halt the configuration at that point. Upon a failure to load the
config.cfg file, a failure message is printed on the console.
Enabling FIPS-140-2 restricts the ability to configure and use cryptographic algorithms and
functions that are not FIPS approved. FIPS-140-2 impacts the ability to configure SSH,
SNMP and certificates. Please refer to the System Management guide for details of FIPS-140-
2 related items.
In addition, signature algorithms of the following combinations only are approved for FIPS:
• FIPS-140 Approved - Digital Signature Standard (DSS)
→ DSA
→ RSA
→ ECDSA
• FIPS-140 Approved - Secured Hash Standard (SHS)
→ SHA-1
→ SHA-224
To Next Page
Loading...
