426
If the self-test fails, the device automatically reboots.
Configuration procedure
To configure FIPS, complete the following tasks:
1. Remove the existing key pairs and certificates.
2. Delete the FIPS-incompliant local user service types Telnet, HTTP, and FTP.
3. Enable the FIPS mode.
4. Enable the password control function.
5. Configure local user attributes (including local username, service type, password, and so on) on
the switch.
6. Save the configuration.
After you finish the above configurations, reboot the switch. The switch works in FIPS mode that complies
with the FIPS 140-2 standard after it starts up. For Common Criteria (CC) evaluation in FIPS mode, the
switch also works in a operating mode that complies with the CC standard.
The switch does not support an upgrade from a FIPS-incompatible version to a FIPS-compatible version.
Enabling the FIPS mode
You must reboot the switch after you enable or disable the FIPS mode to make your configuration take
effect. If you change the FIPS mode for an IRF fabric, you must reboot all IRF member devices.
Do not disable the password control function when the switch operates in FIPS mode. Otherwise, users
might be unable to log in.
To enable the FIPS mode:
Ste
Command
Remarks
1. Enter system view. system-view N/A
2. Enable the FIPS mode.
fips mode enable Disabled by default.
After you enable the FIPS mode and reboot the switch, the switch works in FIPS mode after it starts up and
the following changes occur.
• FTP/TFTP is disabled.
• Telnet is disabled.
• The HTTP server is disabled.
• Cluster management is disabled.
• SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
• The SSL server only supports TLS1.0.
• The SSH server does not support SSHv1 clients.
• SSH only supports RSA.
• The generated RSA key pairs must have a modulus length of 2048 bits. The generated DSA key pair
must have a modulus of at least 1024 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
To Next Page
Loading...
Need help?
General