485
• RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs must have a
modulus length from 1024 to 2048 bits.
• SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Displaying and maintaining FIPS
Task Command Remarks
Display the FIPS mode state.
display fips
status
Available in any view.
FIPS configuration example
Network requirements
As shown in Figure 156, the host connects to the router through a console port.
Configure the router to operate in FIPS mode, and create a local user for the host so that the host
can log in to the router.
Figure 156 Network diagram
Configuration procedure
CAUTION:
• After you enable FIPS mode, you must create a local user and its password before you reboot
the device. Otherwise, you cannot log in to the device. To log in to the device, reboot the device
without the configuration file (by ignoring or removing the configuration file) so that the device
operates in non-FIPS mode, and then make correct configurations.
• Modify the system time before the mode switching. Otherwise, the password expires. Disable
the password control function before you disable FIPS mode. Then, save the configuration and
reboot the device. For more information about password control, see "Configuring password
control."
# Enable FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
# Enable the password control function.
[Sysname] password-control enable
# Create a local user named test, and set its service type to terminal, privilege level to 3, and
password to AAbbcc1234%. The password is a string of at least 10 characters by default and must
contain both uppercase and lowercase letters, digits, and special characters. (Use an interactive way
to configure the password for the local user. That is, enter password in local user view and follow the
prompts to enter the password.)
[Sysname] local-user test
[Sysname-luser-test] service-type terminal
To Next Page
Loading...
Need help?
General
